From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E487F235BE2; Thu, 11 Dec 2025 01:20:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416052; cv=none; b=ct2odmqDEngQWIGPs+GrXo+G5+cWuti5vSg7jSKfeVF6TcK2euk9JxSpzrT96HIPn2RrRBAwOjTfb76ftG4m+X18zq19KPPdbCzrKH3iY4PB5v8Q0/sCtxJ/d2yhYR1qcsaQNCA1MyS5aCJhpiUY//5raeFZqvY/kUa1zTsC+K4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416052; c=relaxed/simple; bh=Mt0okajc2BNMEQ0JbXrBJGsKVTUdYHEAPI3w7kq/was=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=eEDlzT055R9TqJYylji2PatxvCDkYzDjrNWCLos8c/HTZF92cqb85O8C/AxRe6T5T1NNMwhhBBwMa0T7MKe5QPvJhbi2N23EYifuKgt6SHxVV6dY6obesJX/su7fh9hyLmtY43zK0YBHf9QbOykHVeVlM92lfzhRlOvfUtkgxcg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=QD4RAsdw; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="QD4RAsdw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4EEE1C4CEF7; Thu, 11 Dec 2025 01:20:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416051; bh=Mt0okajc2BNMEQ0JbXrBJGsKVTUdYHEAPI3w7kq/was=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QD4RAsdwf8VyCs1ovST49geUWITQhk6L2/eTaueloq7cUw7dV+fd6FIBaLLad+1le pd6bKlTTfh5ruBgTMXqW422DfIYFVeUSq+KKx0WN2UDX8ZFPiXUYYg2U8grnpeTE+F vwLdpmm6f1p/FoDw1NHHodDZGgj4Av/KoyeLrDpmgVPAZlaawb5gLigh3yeCvWRGWL 1zwJc+NVpOa3cfDhPQc/EfFnY0oaQH9yV6MC/eht1qRpQHzwTDtmYQ3UQWhGiNhbqG Ts/ErccBJ7BSi8lOTazHQd4k/7skhWo10garv7kPi26T1LTqIHp3cmjw/EhlV3qpaF 5tr9ghLGHDXwQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 01/12] lib/crypto: nh: Add NH library Date: Wed, 10 Dec 2025 17:18:33 -0800 Message-ID: <20251211011846.8179-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Add support for the NH "almost-universal hash function" to lib/crypto/, specifically the variant of NH used in Adiantum. This will replace the need for the "nhpoly1305" crypto_shash algorithm. All the implementations of "nhpoly1305" use architecture-optimized code only for the NH stage; they just use the generic C Poly1305 code for the Poly1305 stage. We can achieve the same result in a simpler way using an (architecture-optimized) nh() function combined with code in crypto/adiantum.c that passes the results to the Poly1305 library. This commit begins this cleanup by adding the nh() function. The code is derived from crypto/nhpoly1305.c and include/crypto/nhpoly1305.h. Signed-off-by: Eric Biggers --- include/crypto/nh.h | 52 ++++++++++++++++++++++++++++ lib/crypto/Kconfig | 10 ++++++ lib/crypto/Makefile | 8 +++++ lib/crypto/nh.c | 82 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 152 insertions(+) create mode 100644 include/crypto/nh.h create mode 100644 lib/crypto/nh.c diff --git a/include/crypto/nh.h b/include/crypto/nh.h new file mode 100644 index 000000000000..465e85bf203f --- /dev/null +++ b/include/crypto/nh.h @@ -0,0 +1,52 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * NH hash function for Adiantum + */ + +#ifndef _CRYPTO_NH_H +#define _CRYPTO_NH_H + +#include + +/* NH parameterization: */ + +/* Endianness: little */ +/* Word size: 32 bits (works well on NEON, SSE2, AVX2) */ + +/* Stride: 2 words (optimal on ARM32 NEON; works okay on other CPUs too) */ +#define NH_PAIR_STRIDE 2 +#define NH_MESSAGE_UNIT (NH_PAIR_STRIDE * 2 * sizeof(u32)) + +/* Num passes (Toeplitz iteration count): 4, to give =CE=B5 =3D 2^{-128} */ +#define NH_NUM_PASSES 4 +#define NH_HASH_BYTES (NH_NUM_PASSES * sizeof(u64)) + +/* Max message size: 1024 bytes (32x compression factor) */ +#define NH_NUM_STRIDES 64 +#define NH_MESSAGE_WORDS (NH_PAIR_STRIDE * 2 * NH_NUM_STRIDES) +#define NH_MESSAGE_BYTES (NH_MESSAGE_WORDS * sizeof(u32)) +#define NH_KEY_WORDS (NH_MESSAGE_WORDS + \ + NH_PAIR_STRIDE * 2 * (NH_NUM_PASSES - 1)) +#define NH_KEY_BYTES (NH_KEY_WORDS * sizeof(u32)) + +/** + * nh() - NH hash function for Adiantum + * @key: The key. @message_len + 48 bytes of it are used. This is NH_KEY= _BYTES + * if @message_len has its maximum length of NH_MESSAGE_BYTES. + * @message: The message + * @message_len: The message length in bytes. Must be a multiple of 16 + * (NH_MESSAGE_UNIT) and at most 1024 (NH_MESSAGE_BYTES). + * @hash: (output) The resulting hash value + * + * Note: the pseudocode for NH in the Adiantum paper iterates over 1024-by= te + * segments of the message, computes a 32-byte hash for each, and returns = all + * the hashes concatenated together. In contrast, this function just hash= es one + * segment and returns one hash. It's the caller's responsibility to call= this + * function for each 1024-byte segment and collect all the hashes. + * + * Context: Any context. + */ +void nh(const u32 *key, const u8 *message, size_t message_len, + __le64 hash[NH_NUM_PASSES]); + +#endif /* _CRYPTO_NH_H */ diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index ee6ab129d0cf..f14c9f5974d8 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -106,10 +106,20 @@ config CRYPTO_LIB_MLDSA select CRYPTO_LIB_SHA3 help The ML-DSA library functions. Select this if your module uses any of the functions from . =20 +config CRYPTO_LIB_NH + tristate + help + Implementation of the NH almost-universal hash function, specifically + the variant of NH used in Adiantum. + +config CRYPTO_LIB_NH_ARCH + bool + depends on CRYPTO_LIB_NH && !UML + config CRYPTO_LIB_POLY1305 tristate help The Poly1305 library functions. Select this if your module uses any of the functions from . diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index a0578105266f..929b84568809 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -129,10 +129,18 @@ endif # CONFIG_CRYPTO_LIB_MD5_ARCH obj-$(CONFIG_CRYPTO_LIB_MLDSA) +=3D libmldsa.o libmldsa-y :=3D mldsa.o =20 ##########################################################################= ###### =20 +obj-$(CONFIG_CRYPTO_LIB_NH) +=3D libnh.o +libnh-y :=3D nh.o +ifeq ($(CONFIG_CRYPTO_LIB_NH_ARCH),y) +CFLAGS_nh.o +=3D -I$(src)/$(SRCARCH) +endif + +##########################################################################= ###### + obj-$(CONFIG_CRYPTO_LIB_POLY1305) +=3D libpoly1305.o libpoly1305-y :=3D poly1305.o ifeq ($(CONFIG_ARCH_SUPPORTS_INT128),y) libpoly1305-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) +=3D poly1305-donna64.o else diff --git a/lib/crypto/nh.c b/lib/crypto/nh.c new file mode 100644 index 000000000000..e1d0095b5289 --- /dev/null +++ b/lib/crypto/nh.c @@ -0,0 +1,82 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright 2018 Google LLC + */ + +/* + * Implementation of the NH almost-universal hash function, specifically t= he + * variant of NH used in Adiantum. This is *not* a cryptographic hash fun= ction. + * + * Reference: section 6.3 of "Adiantum: length-preserving encryption for + * entry-level processors" (https://eprint.iacr.org/2018/720.pdf). + */ + +#include +#include +#include +#include +#include + +#ifdef CONFIG_CRYPTO_LIB_NH_ARCH +#include "nh.h" /* $(SRCARCH)/nh.h */ +#else +static bool nh_arch(const u32 *key, const u8 *message, size_t message_len, + __le64 hash[NH_NUM_PASSES]) +{ + return false; +} +#endif + +void nh(const u32 *key, const u8 *message, size_t message_len, + __le64 hash[NH_NUM_PASSES]) +{ + u64 sums[4] =3D { 0, 0, 0, 0 }; + + if (nh_arch(key, message, message_len, hash)) + return; + + static_assert(NH_PAIR_STRIDE =3D=3D 2); + static_assert(NH_NUM_PASSES =3D=3D 4); + + while (message_len) { + u32 m0 =3D get_unaligned_le32(message + 0); + u32 m1 =3D get_unaligned_le32(message + 4); + u32 m2 =3D get_unaligned_le32(message + 8); + u32 m3 =3D get_unaligned_le32(message + 12); + + sums[0] +=3D (u64)(u32)(m0 + key[0]) * (u32)(m2 + key[2]); + sums[1] +=3D (u64)(u32)(m0 + key[4]) * (u32)(m2 + key[6]); + sums[2] +=3D (u64)(u32)(m0 + key[8]) * (u32)(m2 + key[10]); + sums[3] +=3D (u64)(u32)(m0 + key[12]) * (u32)(m2 + key[14]); + sums[0] +=3D (u64)(u32)(m1 + key[1]) * (u32)(m3 + key[3]); + sums[1] +=3D (u64)(u32)(m1 + key[5]) * (u32)(m3 + key[7]); + sums[2] +=3D (u64)(u32)(m1 + key[9]) * (u32)(m3 + key[11]); + sums[3] +=3D (u64)(u32)(m1 + key[13]) * (u32)(m3 + key[15]); + key +=3D NH_MESSAGE_UNIT / sizeof(key[0]); + message +=3D NH_MESSAGE_UNIT; + message_len -=3D NH_MESSAGE_UNIT; + } + + hash[0] =3D cpu_to_le64(sums[0]); + hash[1] =3D cpu_to_le64(sums[1]); + hash[2] =3D cpu_to_le64(sums[2]); + hash[3] =3D cpu_to_le64(sums[3]); +} +EXPORT_SYMBOL_GPL(nh); + +#ifdef nh_mod_init_arch +static int __init nh_mod_init(void) +{ + nh_mod_init_arch(); + return 0; +} +subsys_initcall(nh_mod_init); + +static void __exit nh_mod_exit(void) +{ +} +module_exit(nh_mod_exit); +#endif + +MODULE_DESCRIPTION("NH almost-universal hash function"); +MODULE_LICENSE("GPL"); --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C6A4C2356D9; Thu, 11 Dec 2025 01:20:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416052; cv=none; b=Fh0SChnb+fupV5eSwTQoSLvnBBONJ7YiggK0mbPr5aAb7nvsZjinaU/HtEVbqfRxoPMxNT9rASHHuWUu9JVBjdpJExCfMDM9ZmFeSbMYUszYxFv+D9gSU4k+pfekoqWul4VQKCm8Smszt/IMJc0WiU4YdK+qnaa3OuB+/fAcXVc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416052; c=relaxed/simple; bh=02Y65YjIHs85N2NZc3vAciD0zpQXw9LTQC+VbdsF5Tg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y4JVV++lQk8xlXU+qErNLiMfszG1IgPlxZM8KeNI2jXZ13H7ZJv72/ZxVIT00yFcJ/RL7L02NtDYiH/VXVbP4AiLkUL+dpw65FS2xUoqHEVBBAOSJQWic8Ag8tlfaqC36UedMZgNpJBzwlD84XJwQYIGovTPolFWDIb5GP350BY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=uZxhQfX8; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="uZxhQfX8" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DE04BC4CEF1; Thu, 11 Dec 2025 01:20:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416052; bh=02Y65YjIHs85N2NZc3vAciD0zpQXw9LTQC+VbdsF5Tg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uZxhQfX8OsZEwRukcLQrWsqzQvCvtK82eTnCe16+lYLc0XdAploMFOZeFwJ5Fvmde P2DEoReg5wwv/oO6L3MG+m3VGvv9hN0PMmx9mEWbTudi8eWhEKGgcJ2PPNx2MgV37q aQ36uwBr09g2A6foArq14so2w2tx/4EH/DZHrNs7iVLmffN1d5Zkq5IO5qSUdnOYhM STgMWlKoI7m4HA3a67hZ4dc+auAiyJc4erCaxEo0Bmbn0iOX3kW8T9/8c6Ai0HkoGP Q/IvJ66WzJfFN9puRJVup61LfYKTgYwGL/Ib64qsJyrzOj9Io9H218yxILEp6T1PST xozjxrJMQMLvg== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 02/12] lib/crypto: tests: Add KUnit tests for NH Date: Wed, 10 Dec 2025 17:18:34 -0800 Message-ID: <20251211011846.8179-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add some simple KUnit tests for the nh() function. These replace the test coverage which will be lost by removing the nhpoly1305 crypto_shash. Note that the NH code also continues to be tested indirectly as well, via the tests for the "adiantum(xchacha12,aes)" crypto_skcipher. Signed-off-by: Eric Biggers --- lib/crypto/tests/Kconfig | 8 + lib/crypto/tests/Makefile | 1 + lib/crypto/tests/nh-testvecs.h | 298 ++++++++++++++++++++++++++++ lib/crypto/tests/nh_kunit.c | 43 ++++ scripts/crypto/gen-hash-testvecs.py | 40 ++++ 5 files changed, 390 insertions(+) create mode 100644 lib/crypto/tests/nh-testvecs.h create mode 100644 lib/crypto/tests/nh_kunit.c diff --git a/lib/crypto/tests/Kconfig b/lib/crypto/tests/Kconfig index c9165c14fc46..4970463ea0aa 100644 --- a/lib/crypto/tests/Kconfig +++ b/lib/crypto/tests/Kconfig @@ -45,10 +45,18 @@ config CRYPTO_LIB_MLDSA_KUNIT_TEST select CRYPTO_LIB_BENCHMARK_VISIBLE select CRYPTO_LIB_MLDSA help KUnit tests for the ML-DSA digital signature algorithm. =20 +config CRYPTO_LIB_NH_KUNIT_TEST + tristate "KUnit tests for NH" if !KUNIT_ALL_TESTS + depends on KUNIT + default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS + select CRYPTO_LIB_NH + help + KUnit tests for the NH almost-universal hash function. + config CRYPTO_LIB_POLY1305_KUNIT_TEST tristate "KUnit tests for Poly1305" if !KUNIT_ALL_TESTS depends on KUNIT default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS select CRYPTO_LIB_BENCHMARK_VISIBLE diff --git a/lib/crypto/tests/Makefile b/lib/crypto/tests/Makefile index 3dde0b40b2c5..f4262379f56c 100644 --- a/lib/crypto/tests/Makefile +++ b/lib/crypto/tests/Makefile @@ -3,10 +3,11 @@ obj-$(CONFIG_CRYPTO_LIB_BLAKE2B_KUNIT_TEST) +=3D blake2b_kunit.o obj-$(CONFIG_CRYPTO_LIB_BLAKE2S_KUNIT_TEST) +=3D blake2s_kunit.o obj-$(CONFIG_CRYPTO_LIB_CURVE25519_KUNIT_TEST) +=3D curve25519_kunit.o obj-$(CONFIG_CRYPTO_LIB_MD5_KUNIT_TEST) +=3D md5_kunit.o obj-$(CONFIG_CRYPTO_LIB_MLDSA_KUNIT_TEST) +=3D mldsa_kunit.o +obj-$(CONFIG_CRYPTO_LIB_NH_KUNIT_TEST) +=3D nh_kunit.o obj-$(CONFIG_CRYPTO_LIB_POLY1305_KUNIT_TEST) +=3D poly1305_kunit.o obj-$(CONFIG_CRYPTO_LIB_POLYVAL_KUNIT_TEST) +=3D polyval_kunit.o obj-$(CONFIG_CRYPTO_LIB_SHA1_KUNIT_TEST) +=3D sha1_kunit.o obj-$(CONFIG_CRYPTO_LIB_SHA256_KUNIT_TEST) +=3D sha224_kunit.o sha256_kuni= t.o obj-$(CONFIG_CRYPTO_LIB_SHA512_KUNIT_TEST) +=3D sha384_kunit.o sha512_kuni= t.o diff --git a/lib/crypto/tests/nh-testvecs.h b/lib/crypto/tests/nh-testvecs.h new file mode 100644 index 000000000000..b393e1f90f31 --- /dev/null +++ b/lib/crypto/tests/nh-testvecs.h @@ -0,0 +1,298 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* This file was generated by: ./scripts/crypto/gen-hash-testvecs.py nh */ + +static const u8 nh_test_key[NH_KEY_BYTES] =3D { + 0x04, 0x59, 0x66, 0x92, 0x81, 0xd7, 0xe9, 0x25, + 0x68, 0xfa, 0xb0, 0xca, 0x9f, 0xea, 0x98, 0xca, + 0xcd, 0xbf, 0x6d, 0xa5, 0x0c, 0x22, 0xc3, 0x57, + 0xdc, 0x35, 0x05, 0xdd, 0x5b, 0xb0, 0xce, 0xf6, + 0xb2, 0x4c, 0x77, 0x2e, 0xd2, 0x63, 0xf0, 0x17, + 0x60, 0xd8, 0xd3, 0xd9, 0xed, 0x34, 0xb6, 0xed, + 0x6a, 0x11, 0xc0, 0x25, 0xda, 0xba, 0x7e, 0xef, + 0x49, 0x13, 0xf7, 0xd9, 0xfc, 0xb6, 0xfd, 0x58, + 0xe9, 0x5f, 0xc5, 0xc4, 0x69, 0x89, 0xba, 0xa6, + 0x2b, 0x58, 0x8d, 0x36, 0x6c, 0xb9, 0x90, 0x1e, + 0x64, 0xc7, 0x44, 0x84, 0x03, 0x70, 0x30, 0x47, + 0xdd, 0x58, 0xf4, 0x87, 0x61, 0xfd, 0x9c, 0x6b, + 0x51, 0x1b, 0x39, 0x1d, 0x6d, 0x50, 0xae, 0x19, + 0x71, 0x03, 0xc7, 0xa7, 0x42, 0x82, 0x8f, 0xa5, + 0x63, 0x6a, 0xe2, 0x8a, 0xad, 0x4b, 0x40, 0xa7, + 0x3f, 0x8b, 0xe4, 0xae, 0xb2, 0x8a, 0x14, 0x78, + 0x91, 0x07, 0xba, 0x02, 0x08, 0xc1, 0x34, 0xb8, + 0xda, 0x61, 0x67, 0xf6, 0x98, 0x97, 0x1a, 0xcb, + 0x0f, 0x82, 0x80, 0xff, 0x02, 0x54, 0x16, 0x57, + 0x18, 0x35, 0xaf, 0x16, 0x17, 0x68, 0xcc, 0xc7, + 0x52, 0xac, 0x31, 0x39, 0x60, 0xe4, 0xb4, 0xcb, + 0x0e, 0xf9, 0x57, 0xe9, 0x96, 0xff, 0x99, 0xd6, + 0x10, 0x96, 0x09, 0xab, 0x28, 0x92, 0x1b, 0x9f, + 0x10, 0xde, 0x3e, 0x87, 0xb8, 0x9d, 0x2d, 0xa0, + 0x3c, 0x91, 0x85, 0x8c, 0x9e, 0xc0, 0x97, 0x9a, + 0xb4, 0x54, 0x7f, 0x4a, 0x63, 0xc2, 0x75, 0x0f, + 0x0d, 0x2f, 0x62, 0x56, 0x48, 0x0e, 0xb6, 0xc7, + 0xcf, 0x0d, 0x78, 0xca, 0xbd, 0x31, 0x9e, 0x4c, + 0xf7, 0x3f, 0x9e, 0xc2, 0xea, 0x5e, 0x44, 0x6d, + 0x76, 0xf9, 0xc5, 0xe0, 0x29, 0xea, 0x15, 0xbf, + 0xaf, 0xd4, 0x75, 0xc8, 0x89, 0xcf, 0x4f, 0x17, + 0xfd, 0x4a, 0x45, 0xa5, 0x4d, 0x2d, 0x87, 0x11, + 0x2b, 0x3e, 0x64, 0xa2, 0x6b, 0xc5, 0x23, 0x8c, + 0xfa, 0x71, 0x13, 0x72, 0x0e, 0x7c, 0xe1, 0x2c, + 0x9f, 0x0e, 0x29, 0xc9, 0x15, 0xde, 0x4e, 0xd7, + 0x42, 0x1f, 0x8e, 0xe1, 0x91, 0x99, 0x50, 0x38, + 0x7f, 0x15, 0xc0, 0xf6, 0x4b, 0xfd, 0x9d, 0x40, + 0xe9, 0x44, 0x51, 0xca, 0x3b, 0x83, 0x41, 0x9f, + 0x82, 0x64, 0x66, 0x22, 0x12, 0x43, 0x1c, 0x4f, + 0x45, 0x11, 0x3a, 0x46, 0xb1, 0x7c, 0x62, 0x0a, + 0x9d, 0x4c, 0x99, 0x85, 0xb0, 0x10, 0x19, 0xcf, + 0xeb, 0xf9, 0x65, 0xaf, 0xd8, 0x05, 0x9e, 0x61, + 0x03, 0x5f, 0x15, 0x99, 0xa9, 0x05, 0x20, 0xc8, + 0xaf, 0xab, 0x31, 0x9d, 0xd5, 0xdf, 0x24, 0xce, + 0x2b, 0x6d, 0xd7, 0x17, 0xc3, 0x04, 0xff, 0x82, + 0xa7, 0x18, 0x39, 0xe9, 0x0d, 0x0a, 0x5f, 0xb9, + 0xc9, 0x86, 0x1d, 0xf8, 0x02, 0x2d, 0xc3, 0x88, + 0x28, 0x73, 0x5c, 0xac, 0x25, 0xc9, 0xfe, 0xcb, + 0xd2, 0xfd, 0x63, 0x74, 0xac, 0xe1, 0xb8, 0xa2, + 0xc6, 0x2b, 0xb5, 0x40, 0x01, 0x9b, 0xed, 0xee, + 0x7b, 0x63, 0x66, 0x05, 0x45, 0xc2, 0x6c, 0xd8, + 0x58, 0xf1, 0xa1, 0x3d, 0xc8, 0x43, 0x59, 0x4b, + 0x39, 0x87, 0x24, 0x64, 0x92, 0xb0, 0xab, 0x75, + 0xf1, 0xb7, 0xbf, 0x7c, 0xde, 0xc0, 0xaf, 0x4a, + 0xc2, 0x7b, 0xd9, 0x8a, 0x99, 0xcd, 0x83, 0x01, + 0xe6, 0xae, 0xeb, 0x16, 0xe7, 0x54, 0x9c, 0x95, + 0x0a, 0x91, 0x02, 0xaf, 0x9f, 0x79, 0x40, 0x45, + 0xce, 0x47, 0x41, 0x65, 0xca, 0x80, 0x0d, 0x14, + 0x46, 0x58, 0x5d, 0x4d, 0x28, 0x55, 0x70, 0x49, + 0x7c, 0x32, 0x1f, 0x01, 0xaa, 0x05, 0x2f, 0xf1, + 0xeb, 0xa3, 0xe6, 0x1d, 0xf9, 0x43, 0xe0, 0x58, + 0x05, 0x61, 0x22, 0xc3, 0xee, 0xe4, 0x6f, 0x94, + 0xaf, 0x82, 0xda, 0x18, 0x18, 0x63, 0x9c, 0xfa, + 0xc0, 0x04, 0x27, 0xc5, 0x39, 0x5e, 0x7a, 0xa6, + 0x85, 0x46, 0xb7, 0x76, 0xc9, 0x16, 0xf2, 0xf8, + 0x40, 0x8d, 0x4b, 0x5e, 0x72, 0xf3, 0x3e, 0x12, + 0xa4, 0x80, 0x39, 0xb2, 0x92, 0xfe, 0x6e, 0x5b, + 0x5b, 0xad, 0xea, 0x29, 0xbc, 0x66, 0xe6, 0xfe, + 0x80, 0x02, 0x5d, 0x83, 0x37, 0xfc, 0xde, 0x6c, + 0x25, 0x54, 0xa2, 0xff, 0x7d, 0xb6, 0xe1, 0xd6, + 0xcf, 0xdb, 0x60, 0xe3, 0xbe, 0x2f, 0x4e, 0xb4, + 0xf5, 0xb4, 0x51, 0xf7, 0x5a, 0x25, 0xda, 0x40, + 0x84, 0x5e, 0xc0, 0x0a, 0x6b, 0xfa, 0x0c, 0xfb, + 0x5e, 0x3e, 0x12, 0x6c, 0x39, 0x35, 0xc0, 0x28, + 0xd6, 0x1b, 0x3a, 0x72, 0xc3, 0xfe, 0xa5, 0x4c, + 0x35, 0xa2, 0x42, 0xf6, 0x3d, 0xa5, 0xbf, 0xb5, + 0x39, 0xe3, 0xc9, 0xd5, 0x8c, 0x1b, 0xe5, 0xef, + 0x91, 0xd2, 0x80, 0x6f, 0xcc, 0x77, 0x44, 0x50, + 0x62, 0xc7, 0xac, 0x29, 0xcb, 0x72, 0xda, 0x6d, + 0xc5, 0xfe, 0xa7, 0xee, 0x8b, 0xeb, 0xfc, 0xa3, + 0x46, 0x18, 0x5f, 0xaa, 0xc3, 0x65, 0xd0, 0x8f, + 0x67, 0x98, 0xd6, 0xce, 0x5f, 0x84, 0xd4, 0x96, + 0x1b, 0x67, 0xa0, 0xcf, 0xfc, 0x94, 0x55, 0x5e, + 0x4b, 0x51, 0x68, 0xa7, 0x6d, 0x02, 0xf9, 0x53, + 0x54, 0x86, 0x6b, 0x53, 0x39, 0xe0, 0x36, 0x23, + 0x87, 0x1a, 0xfb, 0x53, 0x1a, 0x65, 0xd8, 0x42, + 0xa8, 0x85, 0xfd, 0x2c, 0x7f, 0x6b, 0x7f, 0x67, + 0x70, 0x23, 0x6c, 0xe9, 0x0b, 0xf0, 0x1e, 0x0d, + 0x0b, 0xb4, 0xd4, 0x96, 0x14, 0x95, 0x7e, 0xf3, + 0x9b, 0xdd, 0xd7, 0xc4, 0x24, 0x22, 0xb9, 0x9d, + 0xb3, 0xa6, 0xac, 0x09, 0x7c, 0x00, 0xbf, 0xd0, + 0xdc, 0xfb, 0x9b, 0x7c, 0x8c, 0xbd, 0xd4, 0x1a, + 0x13, 0x2b, 0x82, 0x3d, 0x7c, 0x8c, 0x10, 0x47, + 0x49, 0x6c, 0x53, 0xeb, 0xa7, 0xc2, 0xde, 0xed, + 0xe2, 0x55, 0x93, 0x2c, 0x1a, 0x5a, 0x7d, 0xe1, + 0x37, 0x62, 0xdd, 0x29, 0x1a, 0x72, 0x82, 0xc0, + 0x14, 0x73, 0x5d, 0x0e, 0x9b, 0xcc, 0x54, 0x68, + 0x3a, 0x4d, 0x56, 0x8f, 0xc9, 0x4e, 0xaf, 0x7b, + 0xde, 0x17, 0x9c, 0x5e, 0x83, 0x82, 0x22, 0xe3, + 0x28, 0xdf, 0x1b, 0xb6, 0xdb, 0x17, 0x90, 0x48, + 0xb5, 0x13, 0x4e, 0xd3, 0x97, 0x5e, 0xb3, 0x9c, + 0x16, 0x08, 0xc8, 0x77, 0xb3, 0xcd, 0x94, 0x90, + 0x4f, 0x77, 0xaf, 0x67, 0xdd, 0x80, 0x15, 0x1c, + 0x59, 0xfb, 0x3c, 0xec, 0xf8, 0xb3, 0x67, 0xfb, + 0xa0, 0x94, 0x3c, 0x53, 0x99, 0x49, 0x94, 0x2c, + 0x85, 0x26, 0x92, 0x6d, 0x8d, 0x48, 0xf6, 0x72, + 0xdd, 0xfb, 0xb2, 0x10, 0x51, 0x5b, 0xbe, 0xd5, + 0x70, 0x3d, 0x28, 0x94, 0x98, 0x4f, 0x6e, 0x20, + 0x7b, 0x7d, 0x0f, 0x56, 0xc9, 0x96, 0x5f, 0x60, + 0x2e, 0x2f, 0x9b, 0x38, 0x7f, 0xc7, 0x3c, 0x6b, + 0x2f, 0x2b, 0x8f, 0x1f, 0x07, 0x1c, 0x85, 0x57, + 0x16, 0x2e, 0xc7, 0x74, 0xe5, 0xf2, 0x0d, 0xfe, + 0xef, 0x57, 0xb0, 0xa4, 0x4f, 0x4c, 0x7d, 0x81, + 0xbb, 0xaa, 0xcb, 0xa0, 0xb0, 0x51, 0xcf, 0xc2, + 0xee, 0x90, 0x2e, 0x5e, 0x27, 0xca, 0xd3, 0xe8, + 0xf3, 0x55, 0x02, 0x56, 0x06, 0xa5, 0xad, 0xdf, + 0xa3, 0xa9, 0x06, 0x05, 0x53, 0x74, 0x55, 0xd5, + 0xd2, 0x20, 0x0a, 0x6d, 0x4a, 0xef, 0x16, 0xbf, + 0xc3, 0xb2, 0x75, 0x93, 0xd8, 0x6e, 0x0f, 0xd2, + 0xae, 0x3b, 0xc0, 0x00, 0x22, 0x6f, 0xb5, 0x0a, + 0x41, 0xfc, 0xf9, 0x41, 0xfc, 0x16, 0x4f, 0xa6, + 0x1c, 0x18, 0x41, 0x67, 0x73, 0xa8, 0x79, 0xa9, + 0x54, 0x18, 0x4e, 0x88, 0x44, 0x0f, 0xa1, 0x5b, + 0xf0, 0x68, 0xea, 0x3c, 0x62, 0x59, 0x8d, 0xc7, + 0x6f, 0xd7, 0x72, 0x20, 0x74, 0x39, 0xd4, 0x3a, + 0x41, 0x1b, 0x58, 0x57, 0x54, 0x85, 0x60, 0xca, + 0x49, 0x4b, 0xa1, 0x04, 0x91, 0xb6, 0xf2, 0xcd, + 0x62, 0x63, 0x67, 0xd1, 0xee, 0x6b, 0x9e, 0x5d, + 0xd6, 0xc4, 0x58, 0x6b, 0xe1, 0xe6, 0x4a, 0xdb, + 0xe8, 0xb1, 0x35, 0x03, 0x15, 0x8d, 0x34, 0x69, + 0x4c, 0xd2, 0x54, 0xce, 0xe8, 0x6a, 0x69, 0x6f, + 0xaa, 0xb5, 0x1f, 0x86, 0xed, 0xac, 0x4f, 0x16, + 0x1e, 0x48, 0x93, 0xe8, 0x6c, 0x24, 0x1c, 0xd0, + 0xbb, 0x61, 0xc2, 0x34, 0xdd, 0xc9, 0x5c, 0xce, +}; + +static const u8 nh_test_msg[NH_MESSAGE_BYTES] =3D { + 0x99, 0x57, 0x61, 0x41, 0xad, 0x08, 0x7e, 0x17, + 0xd4, 0xef, 0x0b, 0x23, 0xff, 0x0b, 0x96, 0x0a, + 0x6c, 0x98, 0xac, 0x78, 0x5e, 0xb6, 0xb2, 0x67, + 0x0f, 0x48, 0xf4, 0xa1, 0xe5, 0x1e, 0xfe, 0x83, + 0xe4, 0x56, 0x2a, 0x03, 0x64, 0xff, 0x7a, 0xf3, + 0x03, 0xfe, 0xa7, 0x86, 0xdc, 0x35, 0x79, 0x13, + 0xf8, 0xe1, 0x59, 0x19, 0x04, 0x43, 0x24, 0x82, + 0x44, 0x82, 0x41, 0x2b, 0xc7, 0xcf, 0xf5, 0xa4, + 0xdc, 0xca, 0xf5, 0x34, 0xc4, 0x23, 0x3c, 0x1f, + 0xa8, 0x84, 0x1f, 0x2a, 0xcd, 0xae, 0x9d, 0x5e, + 0x05, 0xe2, 0xfb, 0x0c, 0x68, 0x81, 0x90, 0x11, + 0x44, 0xf6, 0xdd, 0x5b, 0x51, 0xd3, 0xe0, 0xab, + 0x29, 0x3a, 0xa9, 0x9c, 0xf6, 0x7e, 0x2d, 0xe3, + 0x6c, 0x09, 0x59, 0xd7, 0xfa, 0x7f, 0x6a, 0x33, + 0x3b, 0x23, 0x7b, 0x1b, 0xb2, 0x79, 0x5f, 0x5c, + 0xb6, 0x2d, 0xb0, 0xf8, 0xab, 0x33, 0x28, 0xe0, + 0x72, 0x2e, 0x2f, 0x03, 0x22, 0x16, 0xb4, 0x87, + 0xf7, 0x14, 0x3f, 0x55, 0x8a, 0xb0, 0x47, 0xdb, + 0x42, 0x2d, 0xc0, 0x0c, 0x0a, 0x33, 0xf8, 0xab, + 0x44, 0xae, 0xa3, 0xc9, 0xfc, 0xf6, 0x34, 0x8c, + 0x60, 0x30, 0x6d, 0x31, 0x70, 0xf3, 0x39, 0x53, + 0xf1, 0x2d, 0xb9, 0x6c, 0xa6, 0x48, 0x9c, 0x9c, + 0xc2, 0x88, 0xb3, 0xa9, 0x98, 0xb6, 0xc3, 0x47, + 0x94, 0x02, 0x9d, 0x98, 0x6e, 0x25, 0x6c, 0xf5, + 0x9b, 0xc6, 0x4d, 0xee, 0x07, 0x1e, 0x25, 0x8f, + 0x01, 0xde, 0xad, 0xe5, 0x77, 0x4f, 0xd1, 0xc0, + 0x62, 0xbb, 0x3a, 0xb9, 0x83, 0x0b, 0x29, 0x76, + 0x4f, 0xb1, 0x86, 0x2c, 0x27, 0xc7, 0x38, 0x65, + 0xcb, 0x78, 0xb7, 0x02, 0x10, 0x9e, 0xde, 0x83, + 0xd1, 0xac, 0x05, 0x86, 0x23, 0xce, 0x4f, 0x8d, + 0xcc, 0x4e, 0x3f, 0x04, 0xf4, 0x39, 0x91, 0x81, + 0x1c, 0x42, 0x47, 0x4d, 0x50, 0xe5, 0x01, 0x22, + 0x98, 0xcf, 0x91, 0x36, 0xb3, 0x7c, 0xcf, 0x78, + 0x07, 0x22, 0xa9, 0x18, 0xd2, 0xcd, 0x7d, 0x4d, + 0xa6, 0xcb, 0xaa, 0x52, 0x13, 0x49, 0x64, 0xb0, + 0xa5, 0x3d, 0xc7, 0xc3, 0x10, 0x87, 0x2e, 0x76, + 0xa9, 0x52, 0xc5, 0x50, 0x18, 0xc0, 0x5d, 0xb4, + 0x4c, 0xc6, 0x7f, 0x64, 0xae, 0x53, 0xc3, 0x46, + 0x99, 0xb7, 0x61, 0x6b, 0x08, 0x43, 0x08, 0x4c, + 0x90, 0x2c, 0xee, 0x56, 0x91, 0xb4, 0x28, 0xa8, + 0xa8, 0x8b, 0x3b, 0x1a, 0x67, 0x71, 0xf2, 0x81, + 0x48, 0x20, 0x71, 0x30, 0xdd, 0x69, 0x8a, 0xc2, + 0x4c, 0x9d, 0x4e, 0x17, 0xfb, 0x2e, 0xe7, 0x9b, + 0x86, 0x94, 0xa5, 0xce, 0xf9, 0x74, 0x56, 0xff, + 0x3b, 0xff, 0xd9, 0x5a, 0xc8, 0x98, 0xf5, 0x25, + 0xa2, 0xb9, 0x66, 0x46, 0x89, 0x17, 0x39, 0x08, + 0x69, 0x03, 0x59, 0x1e, 0x13, 0x12, 0x68, 0xe7, + 0x2f, 0x00, 0xd3, 0xf3, 0x71, 0xd1, 0x20, 0xc5, + 0x0b, 0x38, 0x89, 0xda, 0x62, 0x3c, 0xce, 0xea, + 0x04, 0x19, 0x47, 0x6d, 0xd8, 0x64, 0x38, 0x60, + 0x96, 0x71, 0x68, 0x48, 0x79, 0xf8, 0xf4, 0x76, + 0x33, 0xf6, 0x60, 0x8d, 0x21, 0xd0, 0xee, 0x41, + 0xc0, 0xbe, 0x33, 0x61, 0x5e, 0x66, 0xe6, 0x16, + 0x14, 0xc7, 0xfb, 0x6c, 0xf3, 0x58, 0xef, 0x12, + 0x7c, 0x70, 0x65, 0x5d, 0x55, 0xe8, 0xf2, 0x92, + 0x3a, 0xfe, 0x34, 0x64, 0x31, 0x7c, 0x29, 0xbb, + 0x01, 0x18, 0xbd, 0xb6, 0xe4, 0x1e, 0xa4, 0xf3, + 0x7b, 0x4c, 0x6a, 0x0d, 0x01, 0xfc, 0xc7, 0x66, + 0xc3, 0x88, 0x37, 0x25, 0xcf, 0xe9, 0xca, 0x82, + 0xeb, 0xa1, 0x38, 0x40, 0xc9, 0xdb, 0x38, 0x7b, + 0x78, 0xcf, 0x11, 0xa3, 0x1c, 0x6b, 0x70, 0xc8, + 0xe1, 0x2f, 0x7c, 0x17, 0x2c, 0x58, 0x28, 0xa4, + 0x13, 0x40, 0xc7, 0x69, 0x0f, 0x04, 0xe5, 0x8e, + 0xf0, 0x67, 0x53, 0xea, 0x10, 0xf5, 0x83, 0xc9, + 0xcb, 0x6b, 0x16, 0xef, 0x2e, 0x55, 0xb3, 0xdd, + 0xed, 0xf9, 0x1a, 0x52, 0x9a, 0x73, 0x78, 0x14, + 0x14, 0x21, 0xfc, 0xef, 0x3c, 0x40, 0xa9, 0xfe, + 0xef, 0xd7, 0x6e, 0x28, 0x2f, 0xd3, 0x73, 0xed, + 0xa3, 0x73, 0xb5, 0x62, 0x41, 0xe6, 0xd4, 0x79, + 0x49, 0x31, 0x2b, 0x86, 0x74, 0x56, 0x21, 0xfe, + 0x6d, 0xb2, 0xbe, 0x81, 0x80, 0xa6, 0x81, 0x19, + 0x90, 0x79, 0x6f, 0xc4, 0x4e, 0x7d, 0x6f, 0x2f, + 0xa8, 0x6f, 0xd5, 0xc4, 0x7e, 0x23, 0x3b, 0xe6, + 0x9b, 0x60, 0x97, 0x7b, 0xe2, 0x08, 0x8a, 0xaa, + 0xc7, 0x7c, 0xf6, 0xe5, 0x01, 0x3e, 0xd2, 0x29, + 0x7d, 0xd7, 0x40, 0x84, 0x95, 0xfa, 0xdf, 0xd8, + 0x81, 0xe9, 0x5e, 0xdd, 0x0d, 0x17, 0x51, 0x6b, + 0x8c, 0x0e, 0x47, 0xf9, 0x0c, 0x92, 0x1b, 0x60, + 0xca, 0x06, 0x8a, 0xe5, 0xe8, 0x0f, 0x06, 0x75, + 0x5d, 0x76, 0xc9, 0x32, 0x2c, 0x52, 0x2c, 0x2e, + 0xd8, 0x66, 0x38, 0x75, 0x16, 0xc7, 0x7d, 0x51, + 0xc4, 0xc2, 0x22, 0xc8, 0x19, 0xfc, 0x3d, 0x69, + 0x1e, 0xd9, 0x64, 0x47, 0x5d, 0x21, 0x84, 0x46, + 0xd7, 0xe1, 0xf0, 0x95, 0x3a, 0x8f, 0xbd, 0x7a, + 0x53, 0x71, 0x4c, 0x54, 0xc1, 0x3e, 0x27, 0xde, + 0xeb, 0x04, 0x11, 0xb0, 0x33, 0x4d, 0x57, 0x0b, + 0x6b, 0x7d, 0x6c, 0xd5, 0x87, 0x7e, 0xb4, 0xe2, + 0x94, 0x9e, 0x9f, 0x74, 0xe8, 0xb7, 0xfa, 0x05, + 0x9b, 0x8f, 0x81, 0x43, 0x35, 0x82, 0xb8, 0x5b, + 0xa8, 0x5e, 0xfa, 0x7a, 0x80, 0x8d, 0xd2, 0x90, + 0x58, 0x79, 0x89, 0x56, 0x90, 0x2b, 0xff, 0x92, + 0x3c, 0x35, 0xbe, 0x99, 0x5f, 0xd2, 0x4b, 0x15, + 0x58, 0x4b, 0xbf, 0x08, 0x9b, 0x9b, 0x97, 0x10, + 0xa4, 0x55, 0xc7, 0xec, 0x29, 0xc5, 0x14, 0x3e, + 0x8f, 0x56, 0xa3, 0x92, 0x9e, 0x33, 0xcc, 0x9e, + 0x77, 0x2f, 0x33, 0xcb, 0xc4, 0xe9, 0x19, 0xf4, + 0x32, 0x2b, 0xef, 0x6c, 0x1c, 0x92, 0x2c, 0x45, + 0x88, 0x74, 0x5f, 0xcf, 0x56, 0xfd, 0x87, 0x5f, + 0xb6, 0x9b, 0xa2, 0x51, 0xda, 0x9b, 0x83, 0x4f, + 0xec, 0x14, 0xe8, 0xd2, 0x42, 0x03, 0xcb, 0xe8, + 0xd0, 0xb7, 0xf8, 0x38, 0xde, 0x6f, 0xdf, 0x43, + 0xfa, 0x41, 0xab, 0xec, 0x2e, 0x3c, 0x93, 0x39, + 0x76, 0xd1, 0x6f, 0x5b, 0x6c, 0x6e, 0x8d, 0xeb, + 0x45, 0x6b, 0xc5, 0x76, 0x00, 0x29, 0xca, 0x3b, + 0xdb, 0x78, 0xc2, 0x32, 0x09, 0x39, 0x19, 0x50, + 0xa2, 0x44, 0x92, 0x09, 0xdb, 0x8b, 0x9e, 0x16, + 0x76, 0x7f, 0xf1, 0x78, 0x7b, 0xb2, 0x51, 0xbc, + 0x28, 0xbd, 0xb0, 0x7f, 0x25, 0x63, 0x7d, 0x34, + 0xfb, 0xf6, 0x36, 0x24, 0xc7, 0xf9, 0x41, 0xb6, + 0x2a, 0x06, 0xfc, 0xf0, 0x83, 0xf2, 0x12, 0x3d, + 0x60, 0x2e, 0x10, 0x70, 0x31, 0x6f, 0x37, 0x08, + 0x3e, 0x91, 0x93, 0xb5, 0xda, 0xb8, 0x4c, 0x1b, + 0xd8, 0xb8, 0x3b, 0xd5, 0x3e, 0xb6, 0xc0, 0xbb, + 0x38, 0x0f, 0xd2, 0x68, 0x4f, 0x78, 0x56, 0xf6, + 0xda, 0x65, 0xb4, 0x0b, 0xb4, 0xaf, 0xa8, 0x19, + 0x2f, 0x70, 0x55, 0xe0, 0x47, 0x31, 0x9f, 0x37, + 0x1a, 0x47, 0xb9, 0x0c, 0x97, 0x79, 0xfc, 0xa9, + 0x76, 0xe6, 0xfa, 0x38, 0x67, 0x25, 0xd3, 0x89, + 0x8d, 0xad, 0xc6, 0x11, 0x2d, 0x77, 0x0b, 0x35, + 0xa2, 0xe2, 0xdf, 0xc8, 0x94, 0xd5, 0xdf, 0xd2, + 0x69, 0x2a, 0x99, 0x93, 0xfa, 0x4a, 0x5f, 0xc7, + 0x8a, 0x14, 0x5f, 0x2a, 0xf3, 0x02, 0xf0, 0x3e, + 0x21, 0x8e, 0x2e, 0x4b, 0xc4, 0xd2, 0xc8, 0xa6, + 0x41, 0x6e, 0x17, 0x36, 0xe9, 0xad, 0x73, 0x33, + 0x6c, 0xea, 0xc2, 0x31, 0x8f, 0x30, 0x51, 0x5c, + 0x1c, 0x20, 0xe6, 0x05, 0x1a, 0x17, 0x15, 0x5d, + 0x3e, 0x8f, 0xd2, 0x7f, 0xa1, 0xc5, 0x47, 0xb3, + 0xb2, 0x9c, 0xe8, 0xf0, 0x6d, 0xc1, 0xc3, 0xa2, +}; + +static const u8 nh_test_val16[NH_HASH_BYTES] =3D { + 0x30, 0x77, 0x55, 0x7c, 0x45, 0xd8, 0xce, 0xf7, + 0x2a, 0xb5, 0x14, 0x8c, 0x35, 0x7e, 0xaa, 0x00, + 0x50, 0xbc, 0x50, 0x7c, 0xd3, 0x20, 0x7c, 0x9c, + 0xb4, 0xf1, 0x91, 0x26, 0x81, 0x03, 0xa5, 0x68, +}; + +static const u8 nh_test_val96[NH_HASH_BYTES] =3D { + 0xd2, 0x19, 0xca, 0xa5, 0x6c, 0x0c, 0xdf, 0x2f, + 0x69, 0xfa, 0x75, 0xc1, 0x63, 0xdb, 0xfa, 0x4d, + 0x45, 0x2b, 0xb8, 0xdb, 0xac, 0xee, 0x61, 0xc6, + 0x7a, 0x83, 0xb6, 0x0f, 0x32, 0x82, 0xe4, 0xd0, +}; + +static const u8 nh_test_val256[NH_HASH_BYTES] =3D { + 0x33, 0x8f, 0xb4, 0x96, 0xf1, 0xb6, 0xf1, 0xb5, + 0x05, 0x19, 0xbb, 0x6b, 0xda, 0xd9, 0x95, 0x75, + 0x96, 0x3f, 0x8b, 0x42, 0xb6, 0xcd, 0xb7, 0xb7, + 0xe7, 0x97, 0xb5, 0xa9, 0x0b, 0xd7, 0xdd, 0x33, +}; + +static const u8 nh_test_val1024[NH_HASH_BYTES] =3D { + 0x32, 0x3d, 0x51, 0xe1, 0x77, 0xb6, 0xac, 0x06, + 0x84, 0x67, 0xb7, 0xf2, 0x24, 0xe7, 0xec, 0xfd, + 0x96, 0x64, 0xff, 0x55, 0xc7, 0x1b, 0xf9, 0xdc, + 0xa3, 0xc7, 0x32, 0x06, 0x79, 0xcf, 0xca, 0xb6, +}; diff --git a/lib/crypto/tests/nh_kunit.c b/lib/crypto/tests/nh_kunit.c new file mode 100644 index 000000000000..a8a3c3f345cb --- /dev/null +++ b/lib/crypto/tests/nh_kunit.c @@ -0,0 +1,43 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright 2025 Google LLC + */ +#include +#include +#include "nh-testvecs.h" + +static void test_nh(struct kunit *test) +{ + u32 *key =3D kunit_kmalloc(test, NH_KEY_BYTES, GFP_KERNEL); + __le64 hash[NH_NUM_PASSES]; + + KUNIT_ASSERT_NOT_NULL(test, key); + memcpy(key, nh_test_key, NH_KEY_BYTES); + le32_to_cpu_array(key, NH_KEY_WORDS); + + nh(key, nh_test_msg, 16, hash); + KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val16, NH_HASH_BYTES); + + nh(key, nh_test_msg, 96, hash); + KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val96, NH_HASH_BYTES); + + nh(key, nh_test_msg, 256, hash); + KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val256, NH_HASH_BYTES); + + nh(key, nh_test_msg, 1024, hash); + KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val1024, NH_HASH_BYTES); +} + +static struct kunit_case nh_test_cases[] =3D { + KUNIT_CASE(test_nh), + {}, +}; + +static struct kunit_suite nh_test_suite =3D { + .name =3D "nh", + .test_cases =3D nh_test_cases, +}; +kunit_test_suite(nh_test_suite); + +MODULE_DESCRIPTION("KUnit tests for NH"); +MODULE_LICENSE("GPL"); diff --git a/scripts/crypto/gen-hash-testvecs.py b/scripts/crypto/gen-hash-= testvecs.py index c1d0517140bd..1e20ecb46314 100755 --- a/scripts/crypto/gen-hash-testvecs.py +++ b/scripts/crypto/gen-hash-testvecs.py @@ -182,10 +182,48 @@ def gen_additional_blake2_testvecs(alg): hashes +=3D h.digest() print_static_u8_array_definition( f'{alg}_keyed_testvec_consolidated[{alg_digest_size_const(alg)= }]', compute_hash(alg, hashes)) =20 +def nh_extract_int(bytestr, pos, length): + assert pos % 8 =3D=3D 0 and length % 8 =3D=3D 0 + return int.from_bytes(bytestr[pos//8 : pos//8 + length//8], byteorder= =3D'little') + +# The NH "almost-universal hash function" used in Adiantum. This is a +# straightforward translation of the pseudocode from Section 6.3 of the Ad= iantum +# paper (https://eprint.iacr.org/2018/720.pdf), except the outer loop is o= mitted +# because we assume len(msg) <=3D 1024. (The kernel's nh() function is on= ly +# expected to handle up to 1024 bytes; it's just called repeatedly as need= ed.) +def nh(key, msg): + (w, s, r, u) =3D (32, 2, 4, 8192) + l =3D 8 * len(msg) + assert l <=3D u + assert l % (2*s*w) =3D=3D 0 + h =3D bytes() + for i in range(0, 2*s*w*r, 2*s*w): + p =3D 0 + for j in range(0, l, 2*s*w): + for k in range(0, w*s, w): + a0 =3D nh_extract_int(key, i + j + k, w) + a1 =3D nh_extract_int(key, i + j + k + s*w, w) + b0 =3D nh_extract_int(msg, j + k, w) + b1 =3D nh_extract_int(msg, j + k + s*w, w) + p +=3D ((a0 + b0) % 2**w) * ((a1 + b1) % 2**w) + h +=3D (p % 2**64).to_bytes(8, byteorder=3D'little') + return h + +def gen_nh_testvecs(): + NH_KEY_BYTES =3D 1072 + NH_MESSAGE_BYTES =3D 1024 + key =3D rand_bytes(NH_KEY_BYTES) + msg =3D rand_bytes(NH_MESSAGE_BYTES) + print_static_u8_array_definition('nh_test_key[NH_KEY_BYTES]', key) + print_static_u8_array_definition('nh_test_msg[NH_MESSAGE_BYTES]', msg) + for length in [16, 96, 256, 1024]: + print_static_u8_array_definition(f'nh_test_val{length}[NH_HASH_BYT= ES]', + nh(key, msg[:length])) + def gen_additional_poly1305_testvecs(): key =3D b'\xff' * POLY1305_KEY_SIZE data =3D b'' ctx =3D Poly1305(key) for _ in range(32): @@ -215,10 +253,12 @@ alg =3D sys.argv[1] print('/* SPDX-License-Identifier: GPL-2.0-or-later */') print(f'/* This file was generated by: {sys.argv[0]} {" ".join(sys.argv[1:= ])} */') if alg.startswith('blake2'): gen_unkeyed_testvecs(alg) gen_additional_blake2_testvecs(alg) +elif alg =3D=3D 'nh': + gen_nh_testvecs() elif alg =3D=3D 'poly1305': gen_unkeyed_testvecs(alg) gen_additional_poly1305_testvecs() elif alg =3D=3D 'polyval': gen_unkeyed_testvecs(alg) --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 956A7246BA7; Thu, 11 Dec 2025 01:20:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416053; cv=none; b=R8nNWuckRw0ngZUliXxVosteQcinTp1Anz6P99rDdgH2dGXnoqlE0422SI02WatqAuvVrlejTT73Qgl+6xo9Fzn/rvP0Nm81IsRjj0rcO/f9HOWFp6tyqyD3ErMzl/wpXcdOSsjfRxMUu4/HX8ZSEortQFUL7gvmGaNPsdvX/PU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416053; c=relaxed/simple; bh=QA13DHhl+4YhpyPWe17T6LrXRA31xdotOdL51bY/g5o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=LcgWpBJHBH+Rr5DB28KbkURnF4fdgXOEtBtaUFKgchu6xJOZ07FN3zxZ1l5VF/za28VLfoT40+g4wPiK/e7x2NDJ1f10y9JlNxw1ekuL3nK8fspHn4m45fGJSoz55f1FjyDkB6ihd++FKO24MfMTOj38CnZOXq1TJ1VN/BunnAo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=btHQRYEi; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="btHQRYEi" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 75CADC4AF0B; Thu, 11 Dec 2025 01:20:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416052; bh=QA13DHhl+4YhpyPWe17T6LrXRA31xdotOdL51bY/g5o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=btHQRYEiURiNQPiKLQUoBWNAu5j2IzeAKxyB3TvE33sA3mEdGrOmgwH/QXKsYaUjf hZZdLwd12m3kEfAG4stbh3rKvuXnu9oDcogWgCe3tJnMm5FWhE7RXKRP0W2Oxe/FRu LiIX6HpdHQT0OxeCC6W5yz5Z0ClQGJcS5hl5097iszy45H46c5J91NBflmzmcBcgcX 5hzv2zzRAphY9u+/9uq19JYrS1iVAxna9qa64rivAPJ1bLOCb9xhIfCTy4d+OK58gx jlYFWXP4o9A6Znt7Kw+JG6tFzfHtgrrQOLOeSH2Qbe5Qv251/3QsTN1g1DHANA6FTt 9kBhoBMMGJjqg== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 03/12] lib/crypto: arm/nh: Migrate optimized code into library Date: Wed, 10 Dec 2025 17:18:35 -0800 Message-ID: <20251211011846.8179-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Migrate the arm32 NEON implementation of NH into lib/crypto/. This makes the nh() function be optimized on arm32 kernels. Note: this temporarily makes the adiantum template not utilize the arm32 optimized NH code. This is resolved in a later commit that converts the adiantum template to use nh() instead of "nhpoly1305". Signed-off-by: Eric Biggers --- arch/arm/crypto/Kconfig | 10 --- arch/arm/crypto/Makefile | 2 - arch/arm/crypto/nhpoly1305-neon-glue.c | 80 ------------------- lib/crypto/Kconfig | 1 + lib/crypto/Makefile | 1 + .../crypto =3D> lib/crypto/arm}/nh-neon-core.S | 0 lib/crypto/arm/nh.h | 33 ++++++++ 7 files changed, 35 insertions(+), 92 deletions(-) delete mode 100644 arch/arm/crypto/nhpoly1305-neon-glue.c rename {arch/arm/crypto =3D> lib/crypto/arm}/nh-neon-core.S (100%) create mode 100644 lib/crypto/arm/nh.h diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index f30d743df264..3eb5071bea14 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -21,20 +21,10 @@ config CRYPTO_GHASH_ARM_CE Use an implementation of GHASH (used by the GCM AEAD chaining mode) that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64) that is part of the ARMv8 Crypto Extensions, or a slower variant that uses the vmull.p8 instruction that is part of the basic NEON ISA. =20 -config CRYPTO_NHPOLY1305_NEON - tristate "Hash functions: NHPoly1305 (NEON)" - depends on KERNEL_MODE_NEON - select CRYPTO_NHPOLY1305 - help - NHPoly1305 hash function (Adiantum) - - Architecture: arm using: - - NEON (Advanced SIMD) extensions - config CRYPTO_AES_ARM tristate "Ciphers: AES" select CRYPTO_ALGAPI select CRYPTO_AES help diff --git a/arch/arm/crypto/Makefile b/arch/arm/crypto/Makefile index 86dd43313dbf..d6683e9d4992 100644 --- a/arch/arm/crypto/Makefile +++ b/arch/arm/crypto/Makefile @@ -3,15 +3,13 @@ # Arch-specific CryptoAPI modules. # =20 obj-$(CONFIG_CRYPTO_AES_ARM) +=3D aes-arm.o obj-$(CONFIG_CRYPTO_AES_ARM_BS) +=3D aes-arm-bs.o -obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) +=3D nhpoly1305-neon.o =20 obj-$(CONFIG_CRYPTO_AES_ARM_CE) +=3D aes-arm-ce.o obj-$(CONFIG_CRYPTO_GHASH_ARM_CE) +=3D ghash-arm-ce.o =20 aes-arm-y :=3D aes-cipher-core.o aes-cipher-glue.o aes-arm-bs-y :=3D aes-neonbs-core.o aes-neonbs-glue.o aes-arm-ce-y :=3D aes-ce-core.o aes-ce-glue.o ghash-arm-ce-y :=3D ghash-ce-core.o ghash-ce-glue.o -nhpoly1305-neon-y :=3D nh-neon-core.o nhpoly1305-neon-glue.o diff --git a/arch/arm/crypto/nhpoly1305-neon-glue.c b/arch/arm/crypto/nhpol= y1305-neon-glue.c deleted file mode 100644 index 62cf7ccdde73..000000000000 --- a/arch/arm/crypto/nhpoly1305-neon-glue.c +++ /dev/null @@ -1,80 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 -/* - * NHPoly1305 - =CE=B5-almost-=E2=88=86-universal hash function for Adiant= um - * (NEON accelerated version) - * - * Copyright 2018 Google LLC - */ - -#include -#include -#include -#include -#include -#include - -asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_= len, - __le64 hash[NH_NUM_PASSES]); - -static int nhpoly1305_neon_update(struct shash_desc *desc, - const u8 *src, unsigned int srclen) -{ - if (srclen < 64 || !crypto_simd_usable()) - return crypto_nhpoly1305_update(desc, src, srclen); - - do { - unsigned int n =3D min_t(unsigned int, srclen, SZ_4K); - - kernel_neon_begin(); - crypto_nhpoly1305_update_helper(desc, src, n, nh_neon); - kernel_neon_end(); - src +=3D n; - srclen -=3D n; - } while (srclen); - return 0; -} - -static int nhpoly1305_neon_digest(struct shash_desc *desc, - const u8 *src, unsigned int srclen, u8 *out) -{ - return crypto_nhpoly1305_init(desc) ?: - nhpoly1305_neon_update(desc, src, srclen) ?: - crypto_nhpoly1305_final(desc, out); -} - -static struct shash_alg nhpoly1305_alg =3D { - .base.cra_name =3D "nhpoly1305", - .base.cra_driver_name =3D "nhpoly1305-neon", - .base.cra_priority =3D 200, - .base.cra_ctxsize =3D sizeof(struct nhpoly1305_key), - .base.cra_module =3D THIS_MODULE, - .digestsize =3D POLY1305_DIGEST_SIZE, - .init =3D crypto_nhpoly1305_init, - .update =3D nhpoly1305_neon_update, - .final =3D crypto_nhpoly1305_final, - .digest =3D nhpoly1305_neon_digest, - .setkey =3D crypto_nhpoly1305_setkey, - .descsize =3D sizeof(struct nhpoly1305_state), -}; - -static int __init nhpoly1305_mod_init(void) -{ - if (!(elf_hwcap & HWCAP_NEON)) - return -ENODEV; - - return crypto_register_shash(&nhpoly1305_alg); -} - -static void __exit nhpoly1305_mod_exit(void) -{ - crypto_unregister_shash(&nhpoly1305_alg); -} - -module_init(nhpoly1305_mod_init); -module_exit(nhpoly1305_mod_exit); - -MODULE_DESCRIPTION("NHPoly1305 =CE=B5-almost-=E2=88=86-universal hash func= tion (NEON-accelerated)"); -MODULE_LICENSE("GPL v2"); -MODULE_AUTHOR("Eric Biggers "); -MODULE_ALIAS_CRYPTO("nhpoly1305"); -MODULE_ALIAS_CRYPTO("nhpoly1305-neon"); diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index f14c9f5974d8..c6ee7ca77632 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -115,10 +115,11 @@ config CRYPTO_LIB_NH the variant of NH used in Adiantum. =20 config CRYPTO_LIB_NH_ARCH bool depends on CRYPTO_LIB_NH && !UML + default y if ARM && KERNEL_MODE_NEON =20 config CRYPTO_LIB_POLY1305 tristate help The Poly1305 library functions. Select this if your module uses any diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 929b84568809..6dae7e182847 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -133,10 +133,11 @@ libmldsa-y :=3D mldsa.o =20 obj-$(CONFIG_CRYPTO_LIB_NH) +=3D libnh.o libnh-y :=3D nh.o ifeq ($(CONFIG_CRYPTO_LIB_NH_ARCH),y) CFLAGS_nh.o +=3D -I$(src)/$(SRCARCH) +libnh-$(CONFIG_ARM) +=3D arm/nh-neon-core.o endif =20 ##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_POLY1305) +=3D libpoly1305.o diff --git a/arch/arm/crypto/nh-neon-core.S b/lib/crypto/arm/nh-neon-core.S similarity index 100% rename from arch/arm/crypto/nh-neon-core.S rename to lib/crypto/arm/nh-neon-core.S diff --git a/lib/crypto/arm/nh.h b/lib/crypto/arm/nh.h new file mode 100644 index 000000000000..c9f39d819336 --- /dev/null +++ b/lib/crypto/arm/nh.h @@ -0,0 +1,33 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * ARM32 accelerated implementation of NH + * + * Copyright 2018 Google LLC + */ + +#include +#include + +static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); + +asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_= len, + __le64 hash[NH_NUM_PASSES]); + +static bool nh_arch(const u32 *key, const u8 *message, size_t message_len, + __le64 hash[NH_NUM_PASSES]) +{ + if (static_branch_likely(&have_neon) && message_len >=3D 64 && + may_use_simd()) { + scoped_ksimd() + nh_neon(key, message, message_len, hash); + return true; + } + return false; +} + +#define nh_mod_init_arch nh_mod_init_arch +static void nh_mod_init_arch(void) +{ + if (elf_hwcap & HWCAP_NEON) + static_branch_enable(&have_neon); +} --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E95332475CB; Thu, 11 Dec 2025 01:20:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416054; cv=none; b=r0Y8TNSactNtma9ISgVmEpCTxpAqN98d/bTO6RVs9f+jAComkFu/2abxTjWZInxH8a2EXCRxuzxKkoVJslwxunaGqkXAt9PmOzF4K9sA5hqRHR2Drod0EEL0wLumYpiuzavH+uSDAcUP3HFoP74luiHXpuLkayrBQXO7wK79bsE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416054; c=relaxed/simple; bh=QEHq2etmS9RjJGySP14SepK+6u8TcOGeThrTyyMUghY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=I9HZvQZnBVeZmQAlHCa/7JPpbrUEl8Mq/tByH/02gXo/GbUW/SU4lWudFreItv7F9nlLFtYfZ64IyBTFW7llymyEWhhqTnlMHcYApLOVeOdJXjQPa+LYu6b3sNC/Z8Zgab+J5l/sVd9zwzkZnkzFQRrFbOTvqwpUEJhuUmU4faI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Z7Or81+s; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Z7Or81+s" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 19A5FC4CEF7; Thu, 11 Dec 2025 01:20:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416053; bh=QEHq2etmS9RjJGySP14SepK+6u8TcOGeThrTyyMUghY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Z7Or81+sGQOl7njUSzB1NJP8F+n0mw8cPNvUhuYhBRAMptPLW60SZBqzUpSZo1oob zuccGi9gEQ8/9/8qik0R94TRftm5alM5xrec8osyJzlM/0qTLtfisNUUZL7IJHapmS dWlwdE03JGTTvQp/OjG+vjUcGaNXqwhB/j6SQnBL63boqrxiq24zP3SPkGiKsXxW0Y b/MsWTR8RQg4oHNBZembxV1Z8vCVL2XVaZ4UO+rf5Fi/UkasxLSsq1WpZHltU+IK2n gucQ6sTnObUhamATNukQtO/De/uofkralSRSE6XBk5eG0W+PEuKv+9keBcV1CpIpR7 NXXunKNCGYWyA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 04/12] lib/crypto: arm64/nh: Migrate optimized code into library Date: Wed, 10 Dec 2025 17:18:36 -0800 Message-ID: <20251211011846.8179-5-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Migrate the arm64 NEON implementation of NH into lib/crypto/. This makes the nh() function be optimized on arm64 kernels. Note: this temporarily makes the adiantum template not utilize the arm64 optimized NH code. This is resolved in a later commit that converts the adiantum template to use nh() instead of "nhpoly1305". Signed-off-by: Eric Biggers --- arch/arm64/crypto/Kconfig | 10 --- arch/arm64/crypto/Makefile | 3 - arch/arm64/crypto/nhpoly1305-neon-glue.c | 79 ------------------- lib/crypto/Kconfig | 1 + lib/crypto/Makefile | 1 + .../crypto/arm64}/nh-neon-core.S | 3 +- lib/crypto/arm64/nh.h | 34 ++++++++ 7 files changed, 37 insertions(+), 94 deletions(-) delete mode 100644 arch/arm64/crypto/nhpoly1305-neon-glue.c rename {arch/arm64/crypto =3D> lib/crypto/arm64}/nh-neon-core.S (97%) create mode 100644 lib/crypto/arm64/nh.h diff --git a/arch/arm64/crypto/Kconfig b/arch/arm64/crypto/Kconfig index bdd276a6e540..da1c9ea8ea83 100644 --- a/arch/arm64/crypto/Kconfig +++ b/arch/arm64/crypto/Kconfig @@ -13,20 +13,10 @@ config CRYPTO_GHASH_ARM64_CE GCM GHASH function (NIST SP800-38D) =20 Architecture: arm64 using: - ARMv8 Crypto Extensions =20 -config CRYPTO_NHPOLY1305_NEON - tristate "Hash functions: NHPoly1305 (NEON)" - depends on KERNEL_MODE_NEON - select CRYPTO_NHPOLY1305 - help - NHPoly1305 hash function (Adiantum) - - Architecture: arm64 using: - - NEON (Advanced SIMD) extensions - config CRYPTO_SM3_NEON tristate "Hash functions: SM3 (NEON)" depends on KERNEL_MODE_NEON select CRYPTO_HASH select CRYPTO_LIB_SM3 diff --git a/arch/arm64/crypto/Makefile b/arch/arm64/crypto/Makefile index 1e330aa08d3f..3ab4b58e5c4c 100644 --- a/arch/arm64/crypto/Makefile +++ b/arch/arm64/crypto/Makefile @@ -39,13 +39,10 @@ obj-$(CONFIG_CRYPTO_AES_ARM64_CE_BLK) +=3D aes-ce-blk.o aes-ce-blk-y :=3D aes-glue-ce.o aes-ce.o =20 obj-$(CONFIG_CRYPTO_AES_ARM64_NEON_BLK) +=3D aes-neon-blk.o aes-neon-blk-y :=3D aes-glue-neon.o aes-neon.o =20 -obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) +=3D nhpoly1305-neon.o -nhpoly1305-neon-y :=3D nh-neon-core.o nhpoly1305-neon-glue.o - obj-$(CONFIG_CRYPTO_AES_ARM64) +=3D aes-arm64.o aes-arm64-y :=3D aes-cipher-core.o aes-cipher-glue.o =20 obj-$(CONFIG_CRYPTO_AES_ARM64_BS) +=3D aes-neon-bs.o aes-neon-bs-y :=3D aes-neonbs-core.o aes-neonbs-glue.o diff --git a/arch/arm64/crypto/nhpoly1305-neon-glue.c b/arch/arm64/crypto/n= hpoly1305-neon-glue.c deleted file mode 100644 index 013de6ac569a..000000000000 --- a/arch/arm64/crypto/nhpoly1305-neon-glue.c +++ /dev/null @@ -1,79 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 -/* - * NHPoly1305 - =CE=B5-almost-=E2=88=86-universal hash function for Adiant= um - * (ARM64 NEON accelerated version) - * - * Copyright 2018 Google LLC - */ - -#include -#include -#include -#include -#include -#include - -asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_= len, - __le64 hash[NH_NUM_PASSES]); - -static int nhpoly1305_neon_update(struct shash_desc *desc, - const u8 *src, unsigned int srclen) -{ - if (srclen < 64 || !crypto_simd_usable()) - return crypto_nhpoly1305_update(desc, src, srclen); - - do { - unsigned int n =3D min_t(unsigned int, srclen, SZ_4K); - - scoped_ksimd() - crypto_nhpoly1305_update_helper(desc, src, n, nh_neon); - src +=3D n; - srclen -=3D n; - } while (srclen); - return 0; -} - -static int nhpoly1305_neon_digest(struct shash_desc *desc, - const u8 *src, unsigned int srclen, u8 *out) -{ - return crypto_nhpoly1305_init(desc) ?: - nhpoly1305_neon_update(desc, src, srclen) ?: - crypto_nhpoly1305_final(desc, out); -} - -static struct shash_alg nhpoly1305_alg =3D { - .base.cra_name =3D "nhpoly1305", - .base.cra_driver_name =3D "nhpoly1305-neon", - .base.cra_priority =3D 200, - .base.cra_ctxsize =3D sizeof(struct nhpoly1305_key), - .base.cra_module =3D THIS_MODULE, - .digestsize =3D POLY1305_DIGEST_SIZE, - .init =3D crypto_nhpoly1305_init, - .update =3D nhpoly1305_neon_update, - .final =3D crypto_nhpoly1305_final, - .digest =3D nhpoly1305_neon_digest, - .setkey =3D crypto_nhpoly1305_setkey, - .descsize =3D sizeof(struct nhpoly1305_state), -}; - -static int __init nhpoly1305_mod_init(void) -{ - if (!cpu_have_named_feature(ASIMD)) - return -ENODEV; - - return crypto_register_shash(&nhpoly1305_alg); -} - -static void __exit nhpoly1305_mod_exit(void) -{ - crypto_unregister_shash(&nhpoly1305_alg); -} - -module_init(nhpoly1305_mod_init); -module_exit(nhpoly1305_mod_exit); - -MODULE_DESCRIPTION("NHPoly1305 =CE=B5-almost-=E2=88=86-universal hash func= tion (NEON-accelerated)"); -MODULE_LICENSE("GPL v2"); -MODULE_AUTHOR("Eric Biggers "); -MODULE_ALIAS_CRYPTO("nhpoly1305"); -MODULE_ALIAS_CRYPTO("nhpoly1305-neon"); diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index c6ee7ca77632..aa3f850ece24 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -116,10 +116,11 @@ config CRYPTO_LIB_NH =20 config CRYPTO_LIB_NH_ARCH bool depends on CRYPTO_LIB_NH && !UML default y if ARM && KERNEL_MODE_NEON + default y if ARM64 && KERNEL_MODE_NEON =20 config CRYPTO_LIB_POLY1305 tristate help The Poly1305 library functions. Select this if your module uses any diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 6dae7e182847..e3a13952bc2a 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -134,10 +134,11 @@ libmldsa-y :=3D mldsa.o obj-$(CONFIG_CRYPTO_LIB_NH) +=3D libnh.o libnh-y :=3D nh.o ifeq ($(CONFIG_CRYPTO_LIB_NH_ARCH),y) CFLAGS_nh.o +=3D -I$(src)/$(SRCARCH) libnh-$(CONFIG_ARM) +=3D arm/nh-neon-core.o +libnh-$(CONFIG_ARM64) +=3D arm64/nh-neon-core.o endif =20 ##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_POLY1305) +=3D libpoly1305.o diff --git a/arch/arm64/crypto/nh-neon-core.S b/lib/crypto/arm64/nh-neon-co= re.S similarity index 97% rename from arch/arm64/crypto/nh-neon-core.S rename to lib/crypto/arm64/nh-neon-core.S index 13eda08fda1e..6fa57fce8085 100644 --- a/arch/arm64/crypto/nh-neon-core.S +++ b/lib/crypto/arm64/nh-neon-core.S @@ -6,11 +6,10 @@ * * Author: Eric Biggers */ =20 #include -#include =20 KEY .req x0 MESSAGE .req x1 MESSAGE_LEN .req x2 HASH .req x3 @@ -61,11 +60,11 @@ * void nh_neon(const u32 *key, const u8 *message, size_t message_len, * __le64 hash[NH_NUM_PASSES]) * * It's guaranteed that message_len % 16 =3D=3D 0. */ -SYM_TYPED_FUNC_START(nh_neon) +SYM_FUNC_START(nh_neon) =20 ld1 {K0.4s,K1.4s}, [KEY], #32 movi PASS0_SUMS.2d, #0 movi PASS1_SUMS.2d, #0 ld1 {K2.4s}, [KEY], #16 diff --git a/lib/crypto/arm64/nh.h b/lib/crypto/arm64/nh.h new file mode 100644 index 000000000000..08902630bdd1 --- /dev/null +++ b/lib/crypto/arm64/nh.h @@ -0,0 +1,34 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * ARM64 accelerated implementation of NH + * + * Copyright 2018 Google LLC + */ + +#include +#include +#include + +static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); + +asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_= len, + __le64 hash[NH_NUM_PASSES]); + +static bool nh_arch(const u32 *key, const u8 *message, size_t message_len, + __le64 hash[NH_NUM_PASSES]) +{ + if (static_branch_likely(&have_neon) && message_len >=3D 64 && + may_use_simd()) { + scoped_ksimd() + nh_neon(key, message, message_len, hash); + return true; + } + return false; +} + +#define nh_mod_init_arch nh_mod_init_arch +static void nh_mod_init_arch(void) +{ + if (cpu_have_named_feature(ASIMD)) + static_branch_enable(&have_neon); +} --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E78424A05D; Thu, 11 Dec 2025 01:20:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416054; cv=none; b=hdDEbJGMRQdc0pijeroxa0pMJ5/SYQD1NaKTVDoAf2HpLBJ5da9MxsBWmjjEUZrMPRaaLmCWCPFOZXBO6aEH5hAvIrFuSyw27RiOf3m98QuCoWNCvRVWcoQKGPKHCdKfJsr9QFyH/cT8A7NXwKNZYcUtjMGv1fomfGsBvrnHhww= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416054; c=relaxed/simple; bh=rFGsGEKONQ1i79E/OFO4NhtGkj4q9sAEbmjDHzHgb5Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=SzKuX1RGfv/RlQUf+L3Lf51MyGoBurNUnZAKADCIOwxhjNvERLITzzmQvhFxKiiOTU7/9mOFET+zKaHNcCV1WGSPakHt+qve4fywcXg50AiNARRjgveZGKtcdOy4xVv8DB3Y3Yj4bpcgC5OVWdic96Dziv1rn7STJju18G9CvF4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=MN7aq9Qs; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="MN7aq9Qs" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A0469C19422; Thu, 11 Dec 2025 01:20:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416054; bh=rFGsGEKONQ1i79E/OFO4NhtGkj4q9sAEbmjDHzHgb5Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MN7aq9QsZOh+siGeAZxuvovZOHx6wrLQIDHeU7svXalJ9rpRsxYkezJvRC4AdMrZ9 UySMYOVyh/RkwNWN8gqgsXIbppPrIbO50CJhcUMl6ecpbd2tW64oeRaTfvYZtprhFz JdWgVQ0+u4KR9KUk1PV0hD9peiEPxr7U4Q7M3bjJc5Ce/UYwrArX0VKYU9W+m6Kelm AXP/ekj19hqsHuJL53AKqODDNYW/PQVUmi5Ofb0hpqU8pkYllg3bczsgBvIh3nhZKe gKl6AE4IkEPyGz9j2tg7ROtsBJjFzXsSsox8DzT4wcSMJSUwn1pH3JlnfAVccAClPM aesBc2THsBMpA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 05/12] lib/crypto: x86/nh: Migrate optimized code into library Date: Wed, 10 Dec 2025 17:18:37 -0800 Message-ID: <20251211011846.8179-6-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Migrate the x86_64 implementations of NH into lib/crypto/. This makes the nh() function be optimized on x86_64 kernels. Note: this temporarily makes the adiantum template not utilize the x86_64 optimized NH code. This is resolved in a later commit that converts the adiantum template to use nh() instead of "nhpoly1305". Signed-off-by: Eric Biggers --- arch/x86/crypto/Kconfig | 20 ----- arch/x86/crypto/Makefile | 5 -- arch/x86/crypto/nhpoly1305-avx2-glue.c | 81 ------------------- arch/x86/crypto/nhpoly1305-sse2-glue.c | 80 ------------------ lib/crypto/Kconfig | 1 + lib/crypto/Makefile | 1 + .../crypto/x86/nh-avx2.S | 3 +- .../crypto/x86/nh-sse2.S | 3 +- lib/crypto/x86/nh.h | 45 +++++++++++ 9 files changed, 49 insertions(+), 190 deletions(-) delete mode 100644 arch/x86/crypto/nhpoly1305-avx2-glue.c delete mode 100644 arch/x86/crypto/nhpoly1305-sse2-glue.c rename arch/x86/crypto/nh-avx2-x86_64.S =3D> lib/crypto/x86/nh-avx2.S (98%) rename arch/x86/crypto/nh-sse2-x86_64.S =3D> lib/crypto/x86/nh-sse2.S (97%) create mode 100644 lib/crypto/x86/nh.h diff --git a/arch/x86/crypto/Kconfig b/arch/x86/crypto/Kconfig index 3fd2423d3cf8..ebb0838eaf30 100644 --- a/arch/x86/crypto/Kconfig +++ b/arch/x86/crypto/Kconfig @@ -331,30 +331,10 @@ config CRYPTO_AEGIS128_AESNI_SSE2 =20 Architecture: x86_64 using: - AES-NI (AES New Instructions) - SSE4.1 (Streaming SIMD Extensions 4.1) =20 -config CRYPTO_NHPOLY1305_SSE2 - tristate "Hash functions: NHPoly1305 (SSE2)" - depends on 64BIT - select CRYPTO_NHPOLY1305 - help - NHPoly1305 hash function for Adiantum - - Architecture: x86_64 using: - - SSE2 (Streaming SIMD Extensions 2) - -config CRYPTO_NHPOLY1305_AVX2 - tristate "Hash functions: NHPoly1305 (AVX2)" - depends on 64BIT - select CRYPTO_NHPOLY1305 - help - NHPoly1305 hash function for Adiantum - - Architecture: x86_64 using: - - AVX2 (Advanced Vector Extensions 2) - config CRYPTO_SM3_AVX_X86_64 tristate "Hash functions: SM3 (AVX)" depends on 64BIT select CRYPTO_HASH select CRYPTO_LIB_SM3 diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile index 5f2fb4f148fe..b21ad0978c52 100644 --- a/arch/x86/crypto/Makefile +++ b/arch/x86/crypto/Makefile @@ -51,15 +51,10 @@ aesni-intel-$(CONFIG_64BIT) +=3D aes-ctr-avx-x86_64.o \ aes-xts-avx-x86_64.o =20 obj-$(CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL) +=3D ghash-clmulni-intel.o ghash-clmulni-intel-y :=3D ghash-clmulni-intel_asm.o ghash-clmulni-intel_g= lue.o =20 -obj-$(CONFIG_CRYPTO_NHPOLY1305_SSE2) +=3D nhpoly1305-sse2.o -nhpoly1305-sse2-y :=3D nh-sse2-x86_64.o nhpoly1305-sse2-glue.o -obj-$(CONFIG_CRYPTO_NHPOLY1305_AVX2) +=3D nhpoly1305-avx2.o -nhpoly1305-avx2-y :=3D nh-avx2-x86_64.o nhpoly1305-avx2-glue.o - obj-$(CONFIG_CRYPTO_SM3_AVX_X86_64) +=3D sm3-avx-x86_64.o sm3-avx-x86_64-y :=3D sm3-avx-asm_64.o sm3_avx_glue.o =20 obj-$(CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64) +=3D sm4-aesni-avx-x86_64.o sm4-aesni-avx-x86_64-y :=3D sm4-aesni-avx-asm_64.o sm4_aesni_avx_glue.o diff --git a/arch/x86/crypto/nhpoly1305-avx2-glue.c b/arch/x86/crypto/nhpol= y1305-avx2-glue.c deleted file mode 100644 index c3a872f4d6a7..000000000000 --- a/arch/x86/crypto/nhpoly1305-avx2-glue.c +++ /dev/null @@ -1,81 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 -/* - * NHPoly1305 - =CE=B5-almost-=E2=88=86-universal hash function for Adiant= um - * (AVX2 accelerated version) - * - * Copyright 2018 Google LLC - */ - -#include -#include -#include -#include -#include -#include - -asmlinkage void nh_avx2(const u32 *key, const u8 *message, size_t message_= len, - __le64 hash[NH_NUM_PASSES]); - -static int nhpoly1305_avx2_update(struct shash_desc *desc, - const u8 *src, unsigned int srclen) -{ - if (srclen < 64 || !crypto_simd_usable()) - return crypto_nhpoly1305_update(desc, src, srclen); - - do { - unsigned int n =3D min_t(unsigned int, srclen, SZ_4K); - - kernel_fpu_begin(); - crypto_nhpoly1305_update_helper(desc, src, n, nh_avx2); - kernel_fpu_end(); - src +=3D n; - srclen -=3D n; - } while (srclen); - return 0; -} - -static int nhpoly1305_avx2_digest(struct shash_desc *desc, - const u8 *src, unsigned int srclen, u8 *out) -{ - return crypto_nhpoly1305_init(desc) ?: - nhpoly1305_avx2_update(desc, src, srclen) ?: - crypto_nhpoly1305_final(desc, out); -} - -static struct shash_alg nhpoly1305_alg =3D { - .base.cra_name =3D "nhpoly1305", - .base.cra_driver_name =3D "nhpoly1305-avx2", - .base.cra_priority =3D 300, - .base.cra_ctxsize =3D sizeof(struct nhpoly1305_key), - .base.cra_module =3D THIS_MODULE, - .digestsize =3D POLY1305_DIGEST_SIZE, - .init =3D crypto_nhpoly1305_init, - .update =3D nhpoly1305_avx2_update, - .final =3D crypto_nhpoly1305_final, - .digest =3D nhpoly1305_avx2_digest, - .setkey =3D crypto_nhpoly1305_setkey, - .descsize =3D sizeof(struct nhpoly1305_state), -}; - -static int __init nhpoly1305_mod_init(void) -{ - if (!boot_cpu_has(X86_FEATURE_AVX2) || - !boot_cpu_has(X86_FEATURE_OSXSAVE)) - return -ENODEV; - - return crypto_register_shash(&nhpoly1305_alg); -} - -static void __exit nhpoly1305_mod_exit(void) -{ - crypto_unregister_shash(&nhpoly1305_alg); -} - -module_init(nhpoly1305_mod_init); -module_exit(nhpoly1305_mod_exit); - -MODULE_DESCRIPTION("NHPoly1305 =CE=B5-almost-=E2=88=86-universal hash func= tion (AVX2-accelerated)"); -MODULE_LICENSE("GPL v2"); -MODULE_AUTHOR("Eric Biggers "); -MODULE_ALIAS_CRYPTO("nhpoly1305"); -MODULE_ALIAS_CRYPTO("nhpoly1305-avx2"); diff --git a/arch/x86/crypto/nhpoly1305-sse2-glue.c b/arch/x86/crypto/nhpol= y1305-sse2-glue.c deleted file mode 100644 index a268a8439a5c..000000000000 --- a/arch/x86/crypto/nhpoly1305-sse2-glue.c +++ /dev/null @@ -1,80 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 -/* - * NHPoly1305 - =CE=B5-almost-=E2=88=86-universal hash function for Adiant= um - * (SSE2 accelerated version) - * - * Copyright 2018 Google LLC - */ - -#include -#include -#include -#include -#include -#include - -asmlinkage void nh_sse2(const u32 *key, const u8 *message, size_t message_= len, - __le64 hash[NH_NUM_PASSES]); - -static int nhpoly1305_sse2_update(struct shash_desc *desc, - const u8 *src, unsigned int srclen) -{ - if (srclen < 64 || !crypto_simd_usable()) - return crypto_nhpoly1305_update(desc, src, srclen); - - do { - unsigned int n =3D min_t(unsigned int, srclen, SZ_4K); - - kernel_fpu_begin(); - crypto_nhpoly1305_update_helper(desc, src, n, nh_sse2); - kernel_fpu_end(); - src +=3D n; - srclen -=3D n; - } while (srclen); - return 0; -} - -static int nhpoly1305_sse2_digest(struct shash_desc *desc, - const u8 *src, unsigned int srclen, u8 *out) -{ - return crypto_nhpoly1305_init(desc) ?: - nhpoly1305_sse2_update(desc, src, srclen) ?: - crypto_nhpoly1305_final(desc, out); -} - -static struct shash_alg nhpoly1305_alg =3D { - .base.cra_name =3D "nhpoly1305", - .base.cra_driver_name =3D "nhpoly1305-sse2", - .base.cra_priority =3D 200, - .base.cra_ctxsize =3D sizeof(struct nhpoly1305_key), - .base.cra_module =3D THIS_MODULE, - .digestsize =3D POLY1305_DIGEST_SIZE, - .init =3D crypto_nhpoly1305_init, - .update =3D nhpoly1305_sse2_update, - .final =3D crypto_nhpoly1305_final, - .digest =3D nhpoly1305_sse2_digest, - .setkey =3D crypto_nhpoly1305_setkey, - .descsize =3D sizeof(struct nhpoly1305_state), -}; - -static int __init nhpoly1305_mod_init(void) -{ - if (!boot_cpu_has(X86_FEATURE_XMM2)) - return -ENODEV; - - return crypto_register_shash(&nhpoly1305_alg); -} - -static void __exit nhpoly1305_mod_exit(void) -{ - crypto_unregister_shash(&nhpoly1305_alg); -} - -module_init(nhpoly1305_mod_init); -module_exit(nhpoly1305_mod_exit); - -MODULE_DESCRIPTION("NHPoly1305 =CE=B5-almost-=E2=88=86-universal hash func= tion (SSE2-accelerated)"); -MODULE_LICENSE("GPL v2"); -MODULE_AUTHOR("Eric Biggers "); -MODULE_ALIAS_CRYPTO("nhpoly1305"); -MODULE_ALIAS_CRYPTO("nhpoly1305-sse2"); diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index aa3f850ece24..33cf46bbadc8 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -117,10 +117,11 @@ config CRYPTO_LIB_NH config CRYPTO_LIB_NH_ARCH bool depends on CRYPTO_LIB_NH && !UML default y if ARM && KERNEL_MODE_NEON default y if ARM64 && KERNEL_MODE_NEON + default y if X86_64 =20 config CRYPTO_LIB_POLY1305 tristate help The Poly1305 library functions. Select this if your module uses any diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index e3a13952bc2a..45128eccedef 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -135,10 +135,11 @@ obj-$(CONFIG_CRYPTO_LIB_NH) +=3D libnh.o libnh-y :=3D nh.o ifeq ($(CONFIG_CRYPTO_LIB_NH_ARCH),y) CFLAGS_nh.o +=3D -I$(src)/$(SRCARCH) libnh-$(CONFIG_ARM) +=3D arm/nh-neon-core.o libnh-$(CONFIG_ARM64) +=3D arm64/nh-neon-core.o +libnh-$(CONFIG_X86) +=3D x86/nh-sse2.o x86/nh-avx2.o endif =20 ##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_POLY1305) +=3D libpoly1305.o diff --git a/arch/x86/crypto/nh-avx2-x86_64.S b/lib/crypto/x86/nh-avx2.S similarity index 98% rename from arch/x86/crypto/nh-avx2-x86_64.S rename to lib/crypto/x86/nh-avx2.S index 791386d9a83a..9c085a31b137 100644 --- a/arch/x86/crypto/nh-avx2-x86_64.S +++ b/lib/crypto/x86/nh-avx2.S @@ -6,11 +6,10 @@ * * Author: Eric Biggers */ =20 #include -#include =20 #define PASS0_SUMS %ymm0 #define PASS1_SUMS %ymm1 #define PASS2_SUMS %ymm2 #define PASS3_SUMS %ymm3 @@ -68,11 +67,11 @@ * void nh_avx2(const u32 *key, const u8 *message, size_t message_len, * __le64 hash[NH_NUM_PASSES]) * * It's guaranteed that message_len % 16 =3D=3D 0. */ -SYM_TYPED_FUNC_START(nh_avx2) +SYM_FUNC_START(nh_avx2) =20 vmovdqu 0x00(KEY), K0 vmovdqu 0x10(KEY), K1 add $0x20, KEY vpxor PASS0_SUMS, PASS0_SUMS, PASS0_SUMS diff --git a/arch/x86/crypto/nh-sse2-x86_64.S b/lib/crypto/x86/nh-sse2.S similarity index 97% rename from arch/x86/crypto/nh-sse2-x86_64.S rename to lib/crypto/x86/nh-sse2.S index 75fb994b6d17..d36c0e6d5556 100644 --- a/arch/x86/crypto/nh-sse2-x86_64.S +++ b/lib/crypto/x86/nh-sse2.S @@ -6,11 +6,10 @@ * * Author: Eric Biggers */ =20 #include -#include =20 #define PASS0_SUMS %xmm0 #define PASS1_SUMS %xmm1 #define PASS2_SUMS %xmm2 #define PASS3_SUMS %xmm3 @@ -70,11 +69,11 @@ * void nh_sse2(const u32 *key, const u8 *message, size_t message_len, * __le64 hash[NH_NUM_PASSES]) * * It's guaranteed that message_len % 16 =3D=3D 0. */ -SYM_TYPED_FUNC_START(nh_sse2) +SYM_FUNC_START(nh_sse2) =20 movdqu 0x00(KEY), K0 movdqu 0x10(KEY), K1 movdqu 0x20(KEY), K2 add $0x30, KEY diff --git a/lib/crypto/x86/nh.h b/lib/crypto/x86/nh.h new file mode 100644 index 000000000000..83361c2e9783 --- /dev/null +++ b/lib/crypto/x86/nh.h @@ -0,0 +1,45 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * x86_64 accelerated implementation of NH + * + * Copyright 2018 Google LLC + */ + +#include +#include + +static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sse2); +static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_avx2); + +asmlinkage void nh_sse2(const u32 *key, const u8 *message, size_t message_= len, + __le64 hash[NH_NUM_PASSES]); +asmlinkage void nh_avx2(const u32 *key, const u8 *message, size_t message_= len, + __le64 hash[NH_NUM_PASSES]); + +static bool nh_arch(const u32 *key, const u8 *message, size_t message_len, + __le64 hash[NH_NUM_PASSES]) +{ + if (message_len >=3D 64 && static_branch_likely(&have_sse2) && + irq_fpu_usable()) { + kernel_fpu_begin(); + if (static_branch_likely(&have_avx2)) + nh_avx2(key, message, message_len, hash); + else + nh_sse2(key, message, message_len, hash); + kernel_fpu_end(); + return true; + } + return false; +} + +#define nh_mod_init_arch nh_mod_init_arch +static void nh_mod_init_arch(void) +{ + if (boot_cpu_has(X86_FEATURE_XMM2)) { + static_branch_enable(&have_sse2); + if (boot_cpu_has(X86_FEATURE_AVX2) && + cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, + NULL)) + static_branch_enable(&have_avx2); + } +} --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 13B52242D72; Thu, 11 Dec 2025 01:20:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416055; cv=none; b=FM31tSlMg0fF89AEdDb7YxYjGXjsnHi6qL8gjvPRVUXzLP8SLOFFAvDsmlR7G4l8cHU4AdrkvDLv4Ilz8eqxR0K45IkoW29xXlxypZKAPM9+PEAwCX5LU1vn5QAwUtBSvcP123MOsckbcmLs/P8+n0au8Qu1ncDSfZ9xaOR9SM0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416055; c=relaxed/simple; bh=A+CNVdsT6Wqi2GfioKWoooWo4EvER4pGygMuQqFuzCk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=RyIiMBO6jiga1966rtHyXT7qaRmalwgrOwcKVGIv0DwfO4Q0JVlhjxpB7HwtsLlzuST0h8tf0fj6R2ftHgOk4KZM0wrgfJ31HpXl14S0Xpgc/E2kTz7mhwdz7IfK7RCRz0cumKTJYQw4lfKp+F1vMU5S7aIj8yXTut9FvBc1f6E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Q//ynOO2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Q//ynOO2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3C601C113D0; Thu, 11 Dec 2025 01:20:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416054; bh=A+CNVdsT6Wqi2GfioKWoooWo4EvER4pGygMuQqFuzCk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q//ynOO2OG4v0l/vtfkV7RfFzju1UYIyQeRtdPR63jqrPihCL2iw5XB5ffrynaVKX DUgyZyjB7Rk8/y0jcmuVZ97kQbs90DlIhBwm0bf4FedU5/sw/9xyIC7G7wgjqGGtnu al+JJNVNRCYduDYNdBXXn+uY9rhkkwudW9wakDuipTNoFYMDjSMx/R87wFZiCw5ML0 RH8oQk8Yfb8nOPxp2SPALuMhPUjaXwOGLnN7rbzlnOhPtDMpN5lpkvwJ7ZkLNGEkIf BV7tpRxlTpIx8XomvM+DKXaSR30EwE1ejFyHkelykUMSKe0Hre/IiswI5IQGdyNdg6 daNvB2z+rgKow== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 06/12] crypto: adiantum - Convert to use NH library Date: Wed, 10 Dec 2025 17:18:38 -0800 Message-ID: <20251211011846.8179-7-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reimplement the Adiantum message hashing using the nh() library function, combined with some code which directly handles the Poly1305 stage. The latter code is derived from crypto/nhpoly1305.c. This eliminates the dependency on the "nhpoly1305" crypto_shash algorithm, which existed only to fit Adiantum message hashing into the traditional Linux crypto API paradigm. Now that simple, architecture-optimized library functions are a well-established option too, we can switch to this simpler implementation. Note: I've dropped the support for the optional third parameter of the adiantum template, which specified the nhpoly1305 implementation. We could keep accepting some strings in this parameter for backwards compatibility, but I don't think it's being used. I believe only "adiantum(xchacha12,aes)" and "adiantum(xchacha20,aes)" are used. Signed-off-by: Eric Biggers --- crypto/Kconfig | 2 +- crypto/adiantum.c | 295 +++++++++++++++++++++++++++++----------------- crypto/testmgr.c | 4 +- 3 files changed, 191 insertions(+), 110 deletions(-) diff --git a/crypto/Kconfig b/crypto/Kconfig index 2e5b195b1b06..89d1ccaa1fa0 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -599,13 +599,13 @@ endmenu menu "Length-preserving ciphers and modes" =20 config CRYPTO_ADIANTUM tristate "Adiantum" select CRYPTO_CHACHA20 + select CRYPTO_LIB_NH select CRYPTO_LIB_POLY1305 select CRYPTO_LIB_POLY1305_GENERIC - select CRYPTO_NHPOLY1305 select CRYPTO_MANAGER help Adiantum tweakable, length-preserving encryption mode =20 Designed for fast and secure disk encryption, especially on diff --git a/crypto/adiantum.c b/crypto/adiantum.c index a6bca877c3c7..bbe519fbd739 100644 --- a/crypto/adiantum.c +++ b/crypto/adiantum.c @@ -18,27 +18,18 @@ * * For flexibility, this implementation also allows other ciphers: * * - Stream cipher: XChaCha12 or XChaCha20 * - Block cipher: any with a 128-bit block size and 256-bit key - * - * This implementation doesn't currently allow other =CE=B5-=E2=88=86U has= h functions, i.e. - * HPolyC is not supported. This is because Adiantum is ~20% faster than = HPolyC - * but still provably as secure, and also the =CE=B5-=E2=88=86U hash funct= ion of HBSH is - * formally defined to take two inputs (tweak, message) which makes it dif= ficult - * to wrap with the crypto_shash API. Rather, some details need to be han= dled - * here. Nevertheless, if needed in the future, support for other =CE=B5-= =E2=88=86U hash - * functions could be added here. */ =20 #include #include #include -#include #include #include -#include +#include #include #include =20 /* * Size of right-hand part of input data, in bytes; also the size of the b= lock @@ -48,11 +39,11 @@ =20 /* Size of the block cipher key (K_E) in bytes */ #define BLOCKCIPHER_KEY_SIZE 32 =20 /* Size of the hash key (K_H) in bytes */ -#define HASH_KEY_SIZE (POLY1305_BLOCK_SIZE + NHPOLY1305_KEY_SIZE) +#define HASH_KEY_SIZE (2 * POLY1305_BLOCK_SIZE + NH_KEY_BYTES) =20 /* * The specification allows variable-length tweaks, but Linux's crypto API * currently only allows algorithms to support a single length. The "natu= ral" * tweak length for Adiantum is 16, since that fits into one Poly1305 bloc= k for @@ -62,18 +53,35 @@ #define TWEAK_SIZE 32 =20 struct adiantum_instance_ctx { struct crypto_skcipher_spawn streamcipher_spawn; struct crypto_cipher_spawn blockcipher_spawn; - struct crypto_shash_spawn hash_spawn; }; =20 struct adiantum_tfm_ctx { struct crypto_skcipher *streamcipher; struct crypto_cipher *blockcipher; - struct crypto_shash *hash; struct poly1305_core_key header_hash_key; + struct poly1305_core_key msg_poly_key; + u32 nh_key[NH_KEY_WORDS]; +}; + +struct nhpoly1305_ctx { + /* Running total of polynomial evaluation */ + struct poly1305_state poly_state; + + /* Partial block buffer */ + u8 buffer[NH_MESSAGE_UNIT]; + unsigned int buflen; + + /* + * Number of bytes remaining until the current NH message reaches + * NH_MESSAGE_BYTES. When nonzero, 'nh_hash' holds the partial NH hash. + */ + unsigned int nh_remaining; + + __le64 nh_hash[NH_NUM_PASSES]; }; =20 struct adiantum_request_ctx { =20 /* @@ -96,13 +104,16 @@ struct adiantum_request_ctx { * The result of the Poly1305 =CE=B5-=E2=88=86U hash function applied to * (bulk length, tweak) */ le128 header_hash; =20 - /* Sub-requests, must be last */ + /* + * skcipher sub-request size is unknown at compile-time, so it needs to + * go after the members with known sizes. + */ union { - struct shash_desc hash_desc; + struct nhpoly1305_ctx hash_ctx; struct skcipher_request streamcipher_req; } u; }; =20 /* @@ -168,16 +179,15 @@ static int adiantum_setkey(struct crypto_skcipher *tf= m, const u8 *key, keyp +=3D BLOCKCIPHER_KEY_SIZE; =20 /* Set the hash key (K_H) */ poly1305_core_setkey(&tctx->header_hash_key, keyp); keyp +=3D POLY1305_BLOCK_SIZE; - - crypto_shash_clear_flags(tctx->hash, CRYPTO_TFM_REQ_MASK); - crypto_shash_set_flags(tctx->hash, crypto_skcipher_get_flags(tfm) & - CRYPTO_TFM_REQ_MASK); - err =3D crypto_shash_setkey(tctx->hash, keyp, NHPOLY1305_KEY_SIZE); - keyp +=3D NHPOLY1305_KEY_SIZE; + poly1305_core_setkey(&tctx->msg_poly_key, keyp); + keyp +=3D POLY1305_BLOCK_SIZE; + for (int i =3D 0; i < NH_KEY_WORDS; i++) + tctx->nh_key[i] =3D get_unaligned_le32(&keyp[i * 4]); + keyp +=3D NH_KEY_BYTES; WARN_ON(keyp !=3D &data->derived_keys[ARRAY_SIZE(data->derived_keys)]); out: kfree_sensitive(data); return err; } @@ -241,39 +251,147 @@ static void adiantum_hash_header(struct skcipher_req= uest *req) TWEAK_SIZE / POLY1305_BLOCK_SIZE, 1); =20 poly1305_core_emit(&state, NULL, &rctx->header_hash); } =20 -/* Hash the left-hand part (the "bulk") of the message using NHPoly1305 */ -static int adiantum_hash_message(struct skcipher_request *req, - struct scatterlist *sgl, unsigned int nents, - le128 *digest) +/* Pass the next NH hash value through Poly1305 */ +static void process_nh_hash_value(struct nhpoly1305_ctx *ctx, + const struct adiantum_tfm_ctx *key) +{ + static_assert(NH_HASH_BYTES % POLY1305_BLOCK_SIZE =3D=3D 0); + + poly1305_core_blocks(&ctx->poly_state, &key->msg_poly_key, ctx->nh_hash, + NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1); +} + +/* + * Feed the next portion of the message data, as a whole number of 16-byte + * "NH message units", through NH and Poly1305. Each NH hash is taken over + * 1024 bytes, except possibly the final one which is taken over a multipl= e of + * 16 bytes up to 1024. Also, in the case where data is passed in misalig= ned + * chunks, we combine partial hashes; the end result is the same either wa= y. + */ +static void nhpoly1305_units(struct nhpoly1305_ctx *ctx, + const struct adiantum_tfm_ctx *key, + const u8 *data, size_t len) +{ + do { + unsigned int bytes; + + if (ctx->nh_remaining =3D=3D 0) { + /* Starting a new NH message */ + bytes =3D min(len, NH_MESSAGE_BYTES); + nh(key->nh_key, data, bytes, ctx->nh_hash); + ctx->nh_remaining =3D NH_MESSAGE_BYTES - bytes; + } else { + /* Continuing a previous NH message */ + __le64 tmp_hash[NH_NUM_PASSES]; + unsigned int pos; + + pos =3D NH_MESSAGE_BYTES - ctx->nh_remaining; + bytes =3D min(len, ctx->nh_remaining); + nh(&key->nh_key[pos / 4], data, bytes, tmp_hash); + for (int i =3D 0; i < NH_NUM_PASSES; i++) + le64_add_cpu(&ctx->nh_hash[i], + le64_to_cpu(tmp_hash[i])); + ctx->nh_remaining -=3D bytes; + } + if (ctx->nh_remaining =3D=3D 0) + process_nh_hash_value(ctx, key); + data +=3D bytes; + len -=3D bytes; + } while (len); +} + +static void nhpoly1305_init(struct nhpoly1305_ctx *ctx) +{ + poly1305_core_init(&ctx->poly_state); + ctx->buflen =3D 0; + ctx->nh_remaining =3D 0; +} + +static void nhpoly1305_update(struct nhpoly1305_ctx *ctx, + const struct adiantum_tfm_ctx *key, + const u8 *data, size_t len) { + unsigned int bytes; + + if (ctx->buflen) { + bytes =3D min(len, (int)NH_MESSAGE_UNIT - ctx->buflen); + memcpy(&ctx->buffer[ctx->buflen], data, bytes); + ctx->buflen +=3D bytes; + if (ctx->buflen < NH_MESSAGE_UNIT) + return; + nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT); + ctx->buflen =3D 0; + data +=3D bytes; + len -=3D bytes; + } + + if (len >=3D NH_MESSAGE_UNIT) { + bytes =3D round_down(len, NH_MESSAGE_UNIT); + nhpoly1305_units(ctx, key, data, bytes); + data +=3D bytes; + len -=3D bytes; + } + + if (len) { + memcpy(ctx->buffer, data, len); + ctx->buflen =3D len; + } +} + +static void nhpoly1305_final(struct nhpoly1305_ctx *ctx, + const struct adiantum_tfm_ctx *key, le128 *out) +{ + if (ctx->buflen) { + memset(&ctx->buffer[ctx->buflen], 0, + NH_MESSAGE_UNIT - ctx->buflen); + nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT); + } + + if (ctx->nh_remaining) + process_nh_hash_value(ctx, key); + + poly1305_core_emit(&ctx->poly_state, NULL, out); +} + +/* + * Hash the left-hand part (the "bulk") of the message as follows: + * + * H_L =E2=86=90 Poly1305_{K_L}(NH_{K_N}(pad_{128}(L))) + * + * See section 6.4 of the Adiantum paper. This is an =CE=B5-almost-=E2=88= =86-universal + * (=CE=B5-=E2=88=86U) hash function for equal-length inputs over Z/(2^{12= 8}Z), where the "=E2=88=86" + * operation is addition. It hashes 1024-byte chunks of the input with th= e NH + * hash function, reducing the input length by 32x. The resulting NH hash= es are + * evaluated as a polynomial in GF(2^{130}-5), like in the Poly1305 MAC. = Note + * that the polynomial evaluation by itself would suffice to achieve the = =CE=B5-=E2=88=86U + * property; NH is used for performance since it's much faster than Poly13= 05. + */ +static void adiantum_hash_message(struct skcipher_request *req, + struct scatterlist *sgl, unsigned int nents, + le128 *out) +{ + struct crypto_skcipher *tfm =3D crypto_skcipher_reqtfm(req); + const struct adiantum_tfm_ctx *tctx =3D crypto_skcipher_ctx(tfm); struct adiantum_request_ctx *rctx =3D skcipher_request_ctx(req); const unsigned int bulk_len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; - struct shash_desc *hash_desc =3D &rctx->u.hash_desc; struct sg_mapping_iter miter; unsigned int i, n; - int err; =20 - err =3D crypto_shash_init(hash_desc); - if (err) - return err; + nhpoly1305_init(&rctx->u.hash_ctx); =20 sg_miter_start(&miter, sgl, nents, SG_MITER_FROM_SG | SG_MITER_ATOMIC); for (i =3D 0; i < bulk_len; i +=3D n) { sg_miter_next(&miter); n =3D min_t(unsigned int, miter.length, bulk_len - i); - err =3D crypto_shash_update(hash_desc, miter.addr, n); - if (err) - break; + nhpoly1305_update(&rctx->u.hash_ctx, tctx, miter.addr, n); } sg_miter_stop(&miter); - if (err) - return err; =20 - return crypto_shash_final(hash_desc, (u8 *)digest); + nhpoly1305_final(&rctx->u.hash_ctx, tctx, out); } =20 /* Continue Adiantum encryption/decryption after the stream cipher step */ static int adiantum_finish(struct skcipher_request *req) { @@ -282,11 +400,10 @@ static int adiantum_finish(struct skcipher_request *r= eq) struct adiantum_request_ctx *rctx =3D skcipher_request_ctx(req); const unsigned int bulk_len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; struct scatterlist *dst =3D req->dst; const unsigned int dst_nents =3D sg_nents(dst); le128 digest; - int err; =20 /* If decrypting, decrypt C_M with the block cipher to get P_M */ if (!rctx->enc) crypto_cipher_decrypt_one(tctx->blockcipher, rctx->rbuf.bytes, rctx->rbuf.bytes); @@ -294,32 +411,26 @@ static int adiantum_finish(struct skcipher_request *r= eq) /* * Second hash step * enc: C_R =3D C_M - H_{K_H}(T, C_L) * dec: P_R =3D P_M - H_{K_H}(T, P_L) */ - rctx->u.hash_desc.tfm =3D tctx->hash; le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); if (dst_nents =3D=3D 1 && dst->offset + req->cryptlen <=3D PAGE_SIZE) { /* Fast path for single-page destination */ struct page *page =3D sg_page(dst); void *virt =3D kmap_local_page(page) + dst->offset; =20 - err =3D crypto_shash_digest(&rctx->u.hash_desc, virt, bulk_len, - (u8 *)&digest); - if (err) { - kunmap_local(virt); - return err; - } + nhpoly1305_init(&rctx->u.hash_ctx); + nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); + nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest); le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); memcpy(virt + bulk_len, &rctx->rbuf.bignum, sizeof(le128)); flush_dcache_page(page); kunmap_local(virt); } else { /* Slow path that works for any destination scatterlist */ - err =3D adiantum_hash_message(req, dst, dst_nents, &digest); - if (err) - return err; + adiantum_hash_message(req, dst, dst_nents, &digest); le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); scatterwalk_map_and_copy(&rctx->rbuf.bignum, dst, bulk_len, sizeof(le128), 1); } return 0; @@ -343,11 +454,10 @@ static int adiantum_crypt(struct skcipher_request *re= q, bool enc) const unsigned int bulk_len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; struct scatterlist *src =3D req->src; const unsigned int src_nents =3D sg_nents(src); unsigned int stream_len; le128 digest; - int err; =20 if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE) return -EINVAL; =20 rctx->enc =3D enc; @@ -356,27 +466,25 @@ static int adiantum_crypt(struct skcipher_request *re= q, bool enc) * First hash step * enc: P_M =3D P_R + H_{K_H}(T, P_L) * dec: C_M =3D C_R + H_{K_H}(T, C_L) */ adiantum_hash_header(req); - rctx->u.hash_desc.tfm =3D tctx->hash; if (src_nents =3D=3D 1 && src->offset + req->cryptlen <=3D PAGE_SIZE) { /* Fast path for single-page source */ void *virt =3D kmap_local_page(sg_page(src)) + src->offset; =20 - err =3D crypto_shash_digest(&rctx->u.hash_desc, virt, bulk_len, - (u8 *)&digest); + nhpoly1305_init(&rctx->u.hash_ctx); + nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); + nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest); memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128)); kunmap_local(virt); } else { /* Slow path that works for any source scatterlist */ - err =3D adiantum_hash_message(req, src, src_nents, &digest); + adiantum_hash_message(req, src, src_nents, &digest); scatterwalk_map_and_copy(&rctx->rbuf.bignum, src, bulk_len, sizeof(le128), 0); } - if (err) - return err; le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); =20 /* If encrypting, encrypt P_M with the block cipher to get C_M */ if (enc) @@ -429,12 +537,10 @@ static int adiantum_init_tfm(struct crypto_skcipher *= tfm) struct skcipher_instance *inst =3D skcipher_alg_instance(tfm); struct adiantum_instance_ctx *ictx =3D skcipher_instance_ctx(inst); struct adiantum_tfm_ctx *tctx =3D crypto_skcipher_ctx(tfm); struct crypto_skcipher *streamcipher; struct crypto_cipher *blockcipher; - struct crypto_shash *hash; - unsigned int subreq_size; int err; =20 streamcipher =3D crypto_spawn_skcipher(&ictx->streamcipher_spawn); if (IS_ERR(streamcipher)) return PTR_ERR(streamcipher); @@ -443,36 +549,22 @@ static int adiantum_init_tfm(struct crypto_skcipher *= tfm) if (IS_ERR(blockcipher)) { err =3D PTR_ERR(blockcipher); goto err_free_streamcipher; } =20 - hash =3D crypto_spawn_shash(&ictx->hash_spawn); - if (IS_ERR(hash)) { - err =3D PTR_ERR(hash); - goto err_free_blockcipher; - } - tctx->streamcipher =3D streamcipher; tctx->blockcipher =3D blockcipher; - tctx->hash =3D hash; =20 BUILD_BUG_ON(offsetofend(struct adiantum_request_ctx, u) !=3D sizeof(struct adiantum_request_ctx)); - subreq_size =3D max(sizeof_field(struct adiantum_request_ctx, - u.hash_desc) + - crypto_shash_descsize(hash), - sizeof_field(struct adiantum_request_ctx, - u.streamcipher_req) + - crypto_skcipher_reqsize(streamcipher)); - - crypto_skcipher_set_reqsize(tfm, - offsetof(struct adiantum_request_ctx, u) + - subreq_size); + crypto_skcipher_set_reqsize( + tfm, max(sizeof(struct adiantum_request_ctx), + offsetofend(struct adiantum_request_ctx, + u.streamcipher_req) + + crypto_skcipher_reqsize(streamcipher))); return 0; =20 -err_free_blockcipher: - crypto_free_cipher(blockcipher); err_free_streamcipher: crypto_free_skcipher(streamcipher); return err; } =20 @@ -480,30 +572,28 @@ static void adiantum_exit_tfm(struct crypto_skcipher = *tfm) { struct adiantum_tfm_ctx *tctx =3D crypto_skcipher_ctx(tfm); =20 crypto_free_skcipher(tctx->streamcipher); crypto_free_cipher(tctx->blockcipher); - crypto_free_shash(tctx->hash); } =20 static void adiantum_free_instance(struct skcipher_instance *inst) { struct adiantum_instance_ctx *ictx =3D skcipher_instance_ctx(inst); =20 crypto_drop_skcipher(&ictx->streamcipher_spawn); crypto_drop_cipher(&ictx->blockcipher_spawn); - crypto_drop_shash(&ictx->hash_spawn); kfree(inst); } =20 /* * Check for a supported set of inner algorithms. * See the comment at the beginning of this file. */ -static bool adiantum_supported_algorithms(struct skcipher_alg_common *stre= amcipher_alg, - struct crypto_alg *blockcipher_alg, - struct shash_alg *hash_alg) +static bool +adiantum_supported_algorithms(struct skcipher_alg_common *streamcipher_alg, + struct crypto_alg *blockcipher_alg) { if (strcmp(streamcipher_alg->base.cra_name, "xchacha12") !=3D 0 && strcmp(streamcipher_alg->base.cra_name, "xchacha20") !=3D 0) return false; =20 @@ -511,25 +601,20 @@ static bool adiantum_supported_algorithms(struct skci= pher_alg_common *streamciph blockcipher_alg->cra_cipher.cia_max_keysize < BLOCKCIPHER_KEY_SIZE) return false; if (blockcipher_alg->cra_blocksize !=3D BLOCKCIPHER_BLOCK_SIZE) return false; =20 - if (strcmp(hash_alg->base.cra_name, "nhpoly1305") !=3D 0) - return false; - return true; } =20 static int adiantum_create(struct crypto_template *tmpl, struct rtattr **t= b) { u32 mask; - const char *nhpoly1305_name; struct skcipher_instance *inst; struct adiantum_instance_ctx *ictx; struct skcipher_alg_common *streamcipher_alg; struct crypto_alg *blockcipher_alg; - struct shash_alg *hash_alg; int err; =20 err =3D crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SKCIPHER, &mask); if (err) return err; @@ -553,27 +638,25 @@ static int adiantum_create(struct crypto_template *tm= pl, struct rtattr **tb) crypto_attr_alg_name(tb[2]), 0, mask); if (err) goto err_free_inst; blockcipher_alg =3D crypto_spawn_cipher_alg(&ictx->blockcipher_spawn); =20 - /* NHPoly1305 =CE=B5-=E2=88=86U hash function */ - nhpoly1305_name =3D crypto_attr_alg_name(tb[3]); - if (nhpoly1305_name =3D=3D ERR_PTR(-ENOENT)) - nhpoly1305_name =3D "nhpoly1305"; - err =3D crypto_grab_shash(&ictx->hash_spawn, - skcipher_crypto_instance(inst), - nhpoly1305_name, 0, mask); - if (err) + /* + * Originally there was an optional third parameter, for requesting a + * specific implementation of "nhpoly1305" for message hashing. This is + * no longer supported. The best implementation is just always used. + */ + if (crypto_attr_alg_name(tb[3]) !=3D ERR_PTR(-ENOENT)) { + err =3D -ENOENT; goto err_free_inst; - hash_alg =3D crypto_spawn_shash_alg(&ictx->hash_spawn); + } =20 /* Check the set of algorithms */ - if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg, - hash_alg)) { - pr_warn("Unsupported Adiantum instantiation: (%s,%s,%s)\n", + if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg)) { + pr_warn("Unsupported Adiantum instantiation: (%s,%s)\n", streamcipher_alg->base.cra_name, - blockcipher_alg->cra_name, hash_alg->base.cra_name); + blockcipher_alg->cra_name); err =3D -EINVAL; goto err_free_inst; } =20 /* Instance fields */ @@ -582,28 +665,26 @@ static int adiantum_create(struct crypto_template *tm= pl, struct rtattr **tb) if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, "adiantum(%s,%s)", streamcipher_alg->base.cra_name, blockcipher_alg->cra_name) >=3D CRYPTO_MAX_ALG_NAME) goto err_free_inst; if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, - "adiantum(%s,%s,%s)", - streamcipher_alg->base.cra_driver_name, - blockcipher_alg->cra_driver_name, - hash_alg->base.cra_driver_name) >=3D CRYPTO_MAX_ALG_NAME) + "adiantum(%s,%s)", streamcipher_alg->base.cra_driver_name, + blockcipher_alg->cra_driver_name) >=3D CRYPTO_MAX_ALG_NAME) goto err_free_inst; =20 inst->alg.base.cra_blocksize =3D BLOCKCIPHER_BLOCK_SIZE; inst->alg.base.cra_ctxsize =3D sizeof(struct adiantum_tfm_ctx); inst->alg.base.cra_alignmask =3D streamcipher_alg->base.cra_alignmask; /* * The block cipher is only invoked once per message, so for long * messages (e.g. sectors for disk encryption) its performance doesn't - * matter as much as that of the stream cipher and hash function. Thus, - * weigh the block cipher's ->cra_priority less. + * matter as much as that of the stream cipher. Thus, weigh the block + * cipher's ->cra_priority less. */ inst->alg.base.cra_priority =3D (4 * streamcipher_alg->base.cra_priority + - 2 * hash_alg->base.cra_priority + - blockcipher_alg->cra_priority) / 7; + blockcipher_alg->cra_priority) / + 5; =20 inst->alg.setkey =3D adiantum_setkey; inst->alg.encrypt =3D adiantum_encrypt; inst->alg.decrypt =3D adiantum_decrypt; inst->alg.init =3D adiantum_init_tfm; @@ -620,11 +701,11 @@ static int adiantum_create(struct crypto_template *tm= pl, struct rtattr **tb) adiantum_free_instance(inst); } return err; } =20 -/* adiantum(streamcipher_name, blockcipher_name [, nhpoly1305_name]) */ +/* adiantum(streamcipher_name, blockcipher_name) */ static struct crypto_template adiantum_tmpl =3D { .name =3D "adiantum", .create =3D adiantum_create, .module =3D THIS_MODULE, }; diff --git a/crypto/testmgr.c b/crypto/testmgr.c index a302be53896d..d9fc671d5941 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -4059,18 +4059,18 @@ static int alg_test_null(const struct alg_test_desc= *desc, =20 /* Please keep this list sorted by algorithm name. */ static const struct alg_test_desc alg_test_descs[] =3D { { .alg =3D "adiantum(xchacha12,aes)", - .generic_driver =3D "adiantum(xchacha12-lib,aes-generic,nhpoly1305-gener= ic)", + .generic_driver =3D "adiantum(xchacha12-lib,aes-generic)", .test =3D alg_test_skcipher, .suite =3D { .cipher =3D __VECS(adiantum_xchacha12_aes_tv_template) }, }, { .alg =3D "adiantum(xchacha20,aes)", - .generic_driver =3D "adiantum(xchacha20-lib,aes-generic,nhpoly1305-gener= ic)", + .generic_driver =3D "adiantum(xchacha20-lib,aes-generic)", .test =3D alg_test_skcipher, .suite =3D { .cipher =3D __VECS(adiantum_xchacha20_aes_tv_template) }, }, { --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DCBF3262FC0; Thu, 11 Dec 2025 01:20:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416056; cv=none; b=fZUy8SSKGjW/u3m7W9MCX6XZsChXeGtxtsuQIjf6itfgSTwrWoYDGeI43WlTAqxlFrnzZHuWw0pw0bR35A5BIIcNkKJFyzecHL7A74YvQGjifFJKb2hYm1Wbm2hpSCVXLUIkYv5ySjAPl9yTGOnsgX1leKoFBU95B1M9BG7ZdxI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416056; c=relaxed/simple; bh=onANQhEwtvrw+cy6TRC7cmRjkfIZ8qsWJbXDQ34RlFI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=DUcYqP/znBupraZ1dHEsDLLMSDeYVqVw4Uy//HV1S9YlazzrYITET0lOMTpqpvMAATm/j+r01gLZXDBSsmCXrF9kvRNQ3XNEDF0QzzSnDsca8JhqXlcDGLK7CFIhLsunwz3FUD9U4mo0LdXwTIaU0AJ8Ks7gIZyKvf2TXL7OmT8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=GTNAoBZQ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="GTNAoBZQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CFBEBC4CEF7; Thu, 11 Dec 2025 01:20:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416055; bh=onANQhEwtvrw+cy6TRC7cmRjkfIZ8qsWJbXDQ34RlFI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GTNAoBZQd2c+wa4Nq0ztoPr7lKhdWTsoBS9yHf06SVXxEeq58TfLq6Y4CC0ukBw71 kFDBv4X7IdLvrkgq884PSpUeTUMbSofy1yYYTQwvCnKyubE3hDlN0SJugJfwpGvpxd VhWudBFqEgrHW5GbHbg8l9utmgpEcw3Rh97kZdkm+F2e02KlgeNICGo/chsM8ImNQe idNguk/kP2WmW6IE3JKwEBYtqsaXrB8vXmFVioks6Aoa7kYfdrcCXtlftSi4T7Pls2 ZpsG+RBrzfl5ZGtvFK6ARpcpXX3dFwqJiPjS5+rMFDLlGo30W8N5CcyDFNCsoX2Wna G0XAIHMlVP7GA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 07/12] crypto: adiantum - Use scatter_walk API instead of sg_miter Date: Wed, 10 Dec 2025 17:18:39 -0800 Message-ID: <20251211011846.8179-8-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Make adiantum_hash_message() use the scatter_walk API instead of sg_miter. scatter_walk is a bit simpler and also more efficient. For example, unlike sg_miter, scatter_walk doesn't require that the number of scatterlist entries be calculated up-front. Signed-off-by: Eric Biggers --- crypto/adiantum.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/crypto/adiantum.c b/crypto/adiantum.c index bbe519fbd739..519e95228ad8 100644 --- a/crypto/adiantum.c +++ b/crypto/adiantum.c @@ -367,30 +367,27 @@ static void nhpoly1305_final(struct nhpoly1305_ctx *c= tx, * evaluated as a polynomial in GF(2^{130}-5), like in the Poly1305 MAC. = Note * that the polynomial evaluation by itself would suffice to achieve the = =CE=B5-=E2=88=86U * property; NH is used for performance since it's much faster than Poly13= 05. */ static void adiantum_hash_message(struct skcipher_request *req, - struct scatterlist *sgl, unsigned int nents, - le128 *out) + struct scatterlist *sgl, le128 *out) { struct crypto_skcipher *tfm =3D crypto_skcipher_reqtfm(req); const struct adiantum_tfm_ctx *tctx =3D crypto_skcipher_ctx(tfm); struct adiantum_request_ctx *rctx =3D skcipher_request_ctx(req); - const unsigned int bulk_len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; - struct sg_mapping_iter miter; - unsigned int i, n; + unsigned int len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; + struct scatter_walk walk; =20 nhpoly1305_init(&rctx->u.hash_ctx); + scatterwalk_start(&walk, sgl); + while (len) { + unsigned int n =3D scatterwalk_next(&walk, len); =20 - sg_miter_start(&miter, sgl, nents, SG_MITER_FROM_SG | SG_MITER_ATOMIC); - for (i =3D 0; i < bulk_len; i +=3D n) { - sg_miter_next(&miter); - n =3D min_t(unsigned int, miter.length, bulk_len - i); - nhpoly1305_update(&rctx->u.hash_ctx, tctx, miter.addr, n); + nhpoly1305_update(&rctx->u.hash_ctx, tctx, walk.addr, n); + scatterwalk_done_src(&walk, n); + len -=3D n; } - sg_miter_stop(&miter); - nhpoly1305_final(&rctx->u.hash_ctx, tctx, out); } =20 /* Continue Adiantum encryption/decryption after the stream cipher step */ static int adiantum_finish(struct skcipher_request *req) @@ -398,11 +395,10 @@ static int adiantum_finish(struct skcipher_request *r= eq) struct crypto_skcipher *tfm =3D crypto_skcipher_reqtfm(req); const struct adiantum_tfm_ctx *tctx =3D crypto_skcipher_ctx(tfm); struct adiantum_request_ctx *rctx =3D skcipher_request_ctx(req); const unsigned int bulk_len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; struct scatterlist *dst =3D req->dst; - const unsigned int dst_nents =3D sg_nents(dst); le128 digest; =20 /* If decrypting, decrypt C_M with the block cipher to get P_M */ if (!rctx->enc) crypto_cipher_decrypt_one(tctx->blockcipher, rctx->rbuf.bytes, @@ -412,11 +408,12 @@ static int adiantum_finish(struct skcipher_request *r= eq) * Second hash step * enc: C_R =3D C_M - H_{K_H}(T, C_L) * dec: P_R =3D P_M - H_{K_H}(T, P_L) */ le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); - if (dst_nents =3D=3D 1 && dst->offset + req->cryptlen <=3D PAGE_SIZE) { + if (dst->length >=3D req->cryptlen && + dst->offset + req->cryptlen <=3D PAGE_SIZE) { /* Fast path for single-page destination */ struct page *page =3D sg_page(dst); void *virt =3D kmap_local_page(page) + dst->offset; =20 nhpoly1305_init(&rctx->u.hash_ctx); @@ -426,11 +423,11 @@ static int adiantum_finish(struct skcipher_request *r= eq) memcpy(virt + bulk_len, &rctx->rbuf.bignum, sizeof(le128)); flush_dcache_page(page); kunmap_local(virt); } else { /* Slow path that works for any destination scatterlist */ - adiantum_hash_message(req, dst, dst_nents, &digest); + adiantum_hash_message(req, dst, &digest); le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); scatterwalk_map_and_copy(&rctx->rbuf.bignum, dst, bulk_len, sizeof(le128), 1); } return 0; @@ -451,11 +448,10 @@ static int adiantum_crypt(struct skcipher_request *re= q, bool enc) struct crypto_skcipher *tfm =3D crypto_skcipher_reqtfm(req); const struct adiantum_tfm_ctx *tctx =3D crypto_skcipher_ctx(tfm); struct adiantum_request_ctx *rctx =3D skcipher_request_ctx(req); const unsigned int bulk_len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; struct scatterlist *src =3D req->src; - const unsigned int src_nents =3D sg_nents(src); unsigned int stream_len; le128 digest; =20 if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE) return -EINVAL; @@ -466,22 +462,23 @@ static int adiantum_crypt(struct skcipher_request *re= q, bool enc) * First hash step * enc: P_M =3D P_R + H_{K_H}(T, P_L) * dec: C_M =3D C_R + H_{K_H}(T, C_L) */ adiantum_hash_header(req); - if (src_nents =3D=3D 1 && src->offset + req->cryptlen <=3D PAGE_SIZE) { + if (src->length >=3D req->cryptlen && + src->offset + req->cryptlen <=3D PAGE_SIZE) { /* Fast path for single-page source */ void *virt =3D kmap_local_page(sg_page(src)) + src->offset; =20 nhpoly1305_init(&rctx->u.hash_ctx); nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest); memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128)); kunmap_local(virt); } else { /* Slow path that works for any source scatterlist */ - adiantum_hash_message(req, src, src_nents, &digest); + adiantum_hash_message(req, src, &digest); scatterwalk_map_and_copy(&rctx->rbuf.bignum, src, bulk_len, sizeof(le128), 0); } le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D92D6238C03; Thu, 11 Dec 2025 01:20:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416057; cv=none; b=Kvp8aBaWMIHuzXoMJObp3IEw20ekX4PwsXpetYBCBfPlMevYc1o6wUi/4ky2dQvyRos6bAfV4rvujdSwz5lmVVsEYZwi5RxH0Gs824fvcgqoo/Jrscp2Q+4qRwD4r4bvBG5b0suiwd8ORwRIcOcE7zy3dNC6ASjygQN4hWBxgO8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416057; c=relaxed/simple; bh=RPL2gSQ0HITBtieNdVNXNO558EclThGmelYePZPJ90M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=P78K3UHinI+Bq4zF/9lQmDWoCmhOlatTgULdyyniG+l9nPPN1kTXU8fJ8WqgszLeM5fvngWn7sTNVUj9dnOGrsWcHNSz/62m434odC1pk7vDChtPnrCzH+V75aFZK3qYJmutmu0QhCzmnTHe+wCOTjhJ4StEPg6Hp1GORIEkNz4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FfUh8vuc; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FfUh8vuc" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 65757C19422; Thu, 11 Dec 2025 01:20:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416056; bh=RPL2gSQ0HITBtieNdVNXNO558EclThGmelYePZPJ90M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FfUh8vucvxNnIFf/LTHchKtqKOdIIGXBkma40oZVP0OFlR6T7RfwOkonLGBxT3o15 gKCuKY0wp50ex7EkGdEGKKrNG301pIq+h9Eadd5GlGmV5WgJjxmEAkmdzarYQ8RUde p+0hlY/kx87AWssVjB7wuDgRO+dVUcpM5zilhI1BOtcLmSIbAtA45BMyJsM6tuwxup dHVP7xFp79e789OPQ/F0oQsFyNW8c6fwHa2G6z53K8TtrRIZ4Rd3oteVe9oPgozqtI lweIf+z/gDrIk7SLogY0WxNbPeSg5xyw624e2xMhqGJ3FF0Q/ZnEmexWxo70L3BG2F WTeKL3bN6Q8ZA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 08/12] crypto: adiantum - Use memcpy_{to,from}_sglist() Date: Wed, 10 Dec 2025 17:18:40 -0800 Message-ID: <20251211011846.8179-9-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Call the newer, easier-to-read functions memcpy_to_sglist() and memcpy_from_sglist() directly instead of calling scatterwalk_map_and_copy(). No change in behavior. Signed-off-by: Eric Biggers Acked-by: Herbert Xu --- crypto/adiantum.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/adiantum.c b/crypto/adiantum.c index 519e95228ad8..6d882f926ab0 100644 --- a/crypto/adiantum.c +++ b/crypto/adiantum.c @@ -425,12 +425,12 @@ static int adiantum_finish(struct skcipher_request *r= eq) kunmap_local(virt); } else { /* Slow path that works for any destination scatterlist */ adiantum_hash_message(req, dst, &digest); le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); - scatterwalk_map_and_copy(&rctx->rbuf.bignum, dst, - bulk_len, sizeof(le128), 1); + memcpy_to_sglist(dst, bulk_len, &rctx->rbuf.bignum, + sizeof(le128)); } return 0; } =20 static void adiantum_streamcipher_done(void *data, int err) @@ -475,12 +475,12 @@ static int adiantum_crypt(struct skcipher_request *re= q, bool enc) memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128)); kunmap_local(virt); } else { /* Slow path that works for any source scatterlist */ adiantum_hash_message(req, src, &digest); - scatterwalk_map_and_copy(&rctx->rbuf.bignum, src, - bulk_len, sizeof(le128), 0); + memcpy_from_sglist(&rctx->rbuf.bignum, src, bulk_len, + sizeof(le128)); } le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); =20 /* If encrypting, encrypt P_M with the block cipher to get C_M */ --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94094236453; Thu, 11 Dec 2025 01:20:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416057; cv=none; b=lCxWUSTKr+qGf4cuQ+4wLFLJTPrCnmOCZf2ZWa8EKOCrOsXpZsCUbMH5/KTle8tKKNH6E182xdplUPtBGZ5+0QDp7wlceC1oF1ZJe/1gIs61ENlcz8wAIi/oAJpN94ltSuz5bX8/dYioaj8lzYX2f9b5/wusZLaid8FIOJY9Jgo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416057; c=relaxed/simple; bh=jd/fjl1lIZXJuNgWgLThZjv/SSMLpriHsm2sS8H6n5I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=rP8tBDG6SX4HAlQIxiFAGDbEbINh/FDOfHf4uun+uVd75a3g1n5283rtJrit5GEXvZSFL4ZBWZU9/UMxhMmLAOjwW/k2ser7d2gjAFm6wjcJoA9ml+C+u4ZmI0Lk8Al57JWxoWPiFbfrHZuUwHP1SaxTW3SXc3toHgnO9fmdbF4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ZQk9eE2T; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ZQk9eE2T" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 357E2C4CEF1; Thu, 11 Dec 2025 01:20:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416056; bh=jd/fjl1lIZXJuNgWgLThZjv/SSMLpriHsm2sS8H6n5I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZQk9eE2Tzk0O/evrnS0rJOJm+PLw6jInkaleZNFiigXdLc66ih5OP46+M2POJ4O4X GBBGazdMiS5im28bkZVk05hTkXcsfuCoPH37SUA1HBJissve1vm5vafFLhKTh5uRMl jzzMw23YB98nUszmt8R+okWS5I00BEdyWg/lDv3OlM5biJsj/EbXi+o9I8jN6pPjN2 spUYMlqSjZnXYMz92Wi9m4mySNL0CX4Dl52fc3TPkZ/qETfV1QUTnd0vV+CKzJLEJI BpeRSKbTDBbhYERJySOV2PWPCKAqUnxbf1W3VxviScMfxmKZeI6ucUc0sH2RuC4tvJ 50KgmXarg6ESQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 09/12] crypto: adiantum - Drop support for asynchronous xchacha ciphers Date: Wed, 10 Dec 2025 17:18:41 -0800 Message-ID: <20251211011846.8179-10-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This feature isn't useful in practice. Simplify and streamline the code in the synchronous case, i.e. the case that actually matters, instead. For example, by no longer having to support resuming the calculation after an asynchronous return of the xchacha cipher, we can just keep more of the state on the stack instead of in the request context. Signed-off-by: Eric Biggers --- crypto/adiantum.c | 174 +++++++++++++++++++--------------------------- 1 file changed, 70 insertions(+), 104 deletions(-) diff --git a/crypto/adiantum.c b/crypto/adiantum.c index 6d882f926ab0..5ddf585abb66 100644 --- a/crypto/adiantum.c +++ b/crypto/adiantum.c @@ -81,33 +81,10 @@ struct nhpoly1305_ctx { =20 __le64 nh_hash[NH_NUM_PASSES]; }; =20 struct adiantum_request_ctx { - - /* - * Buffer for right-hand part of data, i.e. - * - * P_L =3D> P_M =3D> C_M =3D> C_R when encrypting, or - * C_R =3D> C_M =3D> P_M =3D> P_L when decrypting. - * - * Also used to build the IV for the stream cipher. - */ - union { - u8 bytes[XCHACHA_IV_SIZE]; - __le32 words[XCHACHA_IV_SIZE / sizeof(__le32)]; - le128 bignum; /* interpret as element of Z/(2^{128}Z) */ - } rbuf; - - bool enc; /* true if encrypting, false if decrypting */ - - /* - * The result of the Poly1305 =CE=B5-=E2=88=86U hash function applied to - * (bulk length, tweak) - */ - le128 header_hash; - /* * skcipher sub-request size is unknown at compile-time, so it needs to * go after the members with known sizes. */ union { @@ -214,25 +191,24 @@ static inline void le128_sub(le128 *r, const le128 *v= 1, const le128 *v2) (x - y > x)); } =20 /* * Apply the Poly1305 =CE=B5-=E2=88=86U hash function to (bulk length, twe= ak) and save the - * result to rctx->header_hash. This is the calculation + * result to @out. This is the calculation * * H_T =E2=86=90 Poly1305_{K_T}(bin_{128}(|L|) || T) * * from the procedure in section 6.4 of the Adiantum paper. The resulting= value * is reused in both the first and second hash steps. Specifically, it's = added * to the result of an independently keyed =CE=B5-=E2=88=86U hash function= (for equal length * inputs only) taken over the left-hand part (the "bulk") of the message,= to * give the overall Adiantum hash of the (tweak, left-hand part) pair. */ -static void adiantum_hash_header(struct skcipher_request *req) +static void adiantum_hash_header(struct skcipher_request *req, le128 *out) { struct crypto_skcipher *tfm =3D crypto_skcipher_reqtfm(req); const struct adiantum_tfm_ctx *tctx =3D crypto_skcipher_ctx(tfm); - struct adiantum_request_ctx *rctx =3D skcipher_request_ctx(req); const unsigned int bulk_len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; struct { __le64 message_bits; __le64 padding; } header =3D { @@ -248,11 +224,11 @@ static void adiantum_hash_header(struct skcipher_requ= est *req) =20 BUILD_BUG_ON(TWEAK_SIZE % POLY1305_BLOCK_SIZE !=3D 0); poly1305_core_blocks(&state, &tctx->header_hash_key, req->iv, TWEAK_SIZE / POLY1305_BLOCK_SIZE, 1); =20 - poly1305_core_emit(&state, NULL, &rctx->header_hash); + poly1305_core_emit(&state, NULL, out); } =20 /* Pass the next NH hash value through Poly1305 */ static void process_nh_hash_value(struct nhpoly1305_ctx *ctx, const struct adiantum_tfm_ctx *key) @@ -387,116 +363,73 @@ static void adiantum_hash_message(struct skcipher_re= quest *req, len -=3D n; } nhpoly1305_final(&rctx->u.hash_ctx, tctx, out); } =20 -/* Continue Adiantum encryption/decryption after the stream cipher step */ -static int adiantum_finish(struct skcipher_request *req) +static int adiantum_crypt(struct skcipher_request *req, bool enc) { struct crypto_skcipher *tfm =3D crypto_skcipher_reqtfm(req); const struct adiantum_tfm_ctx *tctx =3D crypto_skcipher_ctx(tfm); struct adiantum_request_ctx *rctx =3D skcipher_request_ctx(req); const unsigned int bulk_len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; - struct scatterlist *dst =3D req->dst; - le128 digest; - - /* If decrypting, decrypt C_M with the block cipher to get P_M */ - if (!rctx->enc) - crypto_cipher_decrypt_one(tctx->blockcipher, rctx->rbuf.bytes, - rctx->rbuf.bytes); - + struct scatterlist *src =3D req->src, *dst =3D req->dst; /* - * Second hash step - * enc: C_R =3D C_M - H_{K_H}(T, C_L) - * dec: P_R =3D P_M - H_{K_H}(T, P_L) + * Buffer for right-hand part of data, i.e. + * + * P_L =3D> P_M =3D> C_M =3D> C_R when encrypting, or + * C_R =3D> C_M =3D> P_M =3D> P_L when decrypting. + * + * Also used to build the IV for the stream cipher. */ - le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); - if (dst->length >=3D req->cryptlen && - dst->offset + req->cryptlen <=3D PAGE_SIZE) { - /* Fast path for single-page destination */ - struct page *page =3D sg_page(dst); - void *virt =3D kmap_local_page(page) + dst->offset; - - nhpoly1305_init(&rctx->u.hash_ctx); - nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); - nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest); - le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); - memcpy(virt + bulk_len, &rctx->rbuf.bignum, sizeof(le128)); - flush_dcache_page(page); - kunmap_local(virt); - } else { - /* Slow path that works for any destination scatterlist */ - adiantum_hash_message(req, dst, &digest); - le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); - memcpy_to_sglist(dst, bulk_len, &rctx->rbuf.bignum, - sizeof(le128)); - } - return 0; -} - -static void adiantum_streamcipher_done(void *data, int err) -{ - struct skcipher_request *req =3D data; - - if (!err) - err =3D adiantum_finish(req); - - skcipher_request_complete(req, err); -} - -static int adiantum_crypt(struct skcipher_request *req, bool enc) -{ - struct crypto_skcipher *tfm =3D crypto_skcipher_reqtfm(req); - const struct adiantum_tfm_ctx *tctx =3D crypto_skcipher_ctx(tfm); - struct adiantum_request_ctx *rctx =3D skcipher_request_ctx(req); - const unsigned int bulk_len =3D req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; - struct scatterlist *src =3D req->src; + union { + u8 bytes[XCHACHA_IV_SIZE]; + __le32 words[XCHACHA_IV_SIZE / sizeof(__le32)]; + le128 bignum; /* interpret as element of Z/(2^{128}Z) */ + } rbuf; + le128 header_hash, msg_hash; unsigned int stream_len; - le128 digest; + int err; =20 if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE) return -EINVAL; =20 - rctx->enc =3D enc; - /* * First hash step * enc: P_M =3D P_R + H_{K_H}(T, P_L) * dec: C_M =3D C_R + H_{K_H}(T, C_L) */ - adiantum_hash_header(req); + adiantum_hash_header(req, &header_hash); if (src->length >=3D req->cryptlen && src->offset + req->cryptlen <=3D PAGE_SIZE) { /* Fast path for single-page source */ void *virt =3D kmap_local_page(sg_page(src)) + src->offset; =20 nhpoly1305_init(&rctx->u.hash_ctx); nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); - nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest); - memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128)); + nhpoly1305_final(&rctx->u.hash_ctx, tctx, &msg_hash); + memcpy(&rbuf.bignum, virt + bulk_len, sizeof(le128)); kunmap_local(virt); } else { /* Slow path that works for any source scatterlist */ - adiantum_hash_message(req, src, &digest); - memcpy_from_sglist(&rctx->rbuf.bignum, src, bulk_len, - sizeof(le128)); + adiantum_hash_message(req, src, &msg_hash); + memcpy_from_sglist(&rbuf.bignum, src, bulk_len, sizeof(le128)); } - le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); - le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); + le128_add(&rbuf.bignum, &rbuf.bignum, &header_hash); + le128_add(&rbuf.bignum, &rbuf.bignum, &msg_hash); =20 /* If encrypting, encrypt P_M with the block cipher to get C_M */ if (enc) - crypto_cipher_encrypt_one(tctx->blockcipher, rctx->rbuf.bytes, - rctx->rbuf.bytes); + crypto_cipher_encrypt_one(tctx->blockcipher, rbuf.bytes, + rbuf.bytes); =20 /* Initialize the rest of the XChaCha IV (first part is C_M) */ BUILD_BUG_ON(BLOCKCIPHER_BLOCK_SIZE !=3D 16); BUILD_BUG_ON(XCHACHA_IV_SIZE !=3D 32); /* nonce || stream position */ - rctx->rbuf.words[4] =3D cpu_to_le32(1); - rctx->rbuf.words[5] =3D 0; - rctx->rbuf.words[6] =3D 0; - rctx->rbuf.words[7] =3D 0; + rbuf.words[4] =3D cpu_to_le32(1); + rbuf.words[5] =3D 0; + rbuf.words[6] =3D 0; + rbuf.words[7] =3D 0; =20 /* * XChaCha needs to be done on all the data except the last 16 bytes; * for disk encryption that usually means 4080 or 496 bytes. But ChaCha * implementations tend to be most efficient when passed a whole number @@ -509,16 +442,48 @@ static int adiantum_crypt(struct skcipher_request *re= q, bool enc) if (round_up(stream_len, CHACHA_BLOCK_SIZE) <=3D req->cryptlen) stream_len =3D round_up(stream_len, CHACHA_BLOCK_SIZE); =20 skcipher_request_set_tfm(&rctx->u.streamcipher_req, tctx->streamcipher); skcipher_request_set_crypt(&rctx->u.streamcipher_req, req->src, - req->dst, stream_len, &rctx->rbuf); + req->dst, stream_len, &rbuf); skcipher_request_set_callback(&rctx->u.streamcipher_req, - req->base.flags, - adiantum_streamcipher_done, req); - return crypto_skcipher_encrypt(&rctx->u.streamcipher_req) ?: - adiantum_finish(req); + req->base.flags, NULL, NULL); + err =3D crypto_skcipher_encrypt(&rctx->u.streamcipher_req); + if (err) + return err; + + /* If decrypting, decrypt C_M with the block cipher to get P_M */ + if (!enc) + crypto_cipher_decrypt_one(tctx->blockcipher, rbuf.bytes, + rbuf.bytes); + + /* + * Second hash step + * enc: C_R =3D C_M - H_{K_H}(T, C_L) + * dec: P_R =3D P_M - H_{K_H}(T, P_L) + */ + le128_sub(&rbuf.bignum, &rbuf.bignum, &header_hash); + if (dst->length >=3D req->cryptlen && + dst->offset + req->cryptlen <=3D PAGE_SIZE) { + /* Fast path for single-page destination */ + struct page *page =3D sg_page(dst); + void *virt =3D kmap_local_page(page) + dst->offset; + + nhpoly1305_init(&rctx->u.hash_ctx); + nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); + nhpoly1305_final(&rctx->u.hash_ctx, tctx, &msg_hash); + le128_sub(&rbuf.bignum, &rbuf.bignum, &msg_hash); + memcpy(virt + bulk_len, &rbuf.bignum, sizeof(le128)); + flush_dcache_page(page); + kunmap_local(virt); + } else { + /* Slow path that works for any destination scatterlist */ + adiantum_hash_message(req, dst, &msg_hash); + le128_sub(&rbuf.bignum, &rbuf.bignum, &msg_hash); + memcpy_to_sglist(dst, bulk_len, &rbuf.bignum, sizeof(le128)); + } + return 0; } =20 static int adiantum_encrypt(struct skcipher_request *req) { return adiantum_crypt(req, true); @@ -622,11 +587,12 @@ static int adiantum_create(struct crypto_template *tm= pl, struct rtattr **tb) ictx =3D skcipher_instance_ctx(inst); =20 /* Stream cipher, e.g. "xchacha12" */ err =3D crypto_grab_skcipher(&ictx->streamcipher_spawn, skcipher_crypto_instance(inst), - crypto_attr_alg_name(tb[1]), 0, mask); + crypto_attr_alg_name(tb[1]), 0, + mask | CRYPTO_ALG_ASYNC /* sync only */); if (err) goto err_free_inst; streamcipher_alg =3D crypto_spawn_skcipher_alg_common(&ictx->streamcipher= _spawn); =20 /* Block cipher, e.g. "aes" */ --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AEF7526D4CA; Thu, 11 Dec 2025 01:20:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416057; cv=none; b=WtDGrkQH/ahr5WRr+5SZ/XbNrs6bXnSCj1BKEgqiP+3mOf6bJaWAQFVgzZkSmnQ1M4MCH+f+Jhe8CTOn1uiJ97CfdoLqL4eH1jKSLcVtQoBCEefsZ81QvDofFCZWX2FUKEj/2ORNMaqzyEbd7mvjhh0WwjcDV1xAuXB66d/Wu6s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416057; c=relaxed/simple; bh=/nofUveZyorl1krlyxDggW3EvtuF1tSn+n8Tbr1hxlQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=upxKrFyXFvHO1UmyfrYX750Mzvi4vM0TMN96l+iWUZiBwLtzllryeDUXd9THKA2T+uc5cTIBjIm5HoNswdY6eGDXRUmqP7z9JH/LujDKFP0eh/yG6YsPmyL2TeHUqsrD8A0+c7d5W9P0uIFb6LaHNHU+H2GIu9OkOLj1/i0La94= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TeUDdx5k; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TeUDdx5k" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D2716C4CEF7; Thu, 11 Dec 2025 01:20:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416057; bh=/nofUveZyorl1krlyxDggW3EvtuF1tSn+n8Tbr1hxlQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TeUDdx5kdaBvIJ30eIjLLOyZav2WdtEZosrnwPE2iBRWTjsuxrm+FPU+kRtXlEYLH PzUFj6cPC0kb4DCY3EOXSaKt+aGWe3pZhFOZdiTCx0mN6gW+B9yIUII5+u1Qvuja5f Q2szzKZgnFZjzYrx6DHJSsyVTcrHmRWgoQcclljNHJS7jxmmyuzax2JasX8UI1woUw yF2PITqqrWQ54gSxhZ2Z6Hxym1TCIfeTVIL2sanf+KSJgaXlps4m7cqzRTRiWaddPW JDCeT1i6iz/7jv1VYlgFz+pTkC7WkOmNB1E1SUU8YHhyfOTqeV1yra8a0g8BkRetTk tKtHmZKqhxPMg== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 10/12] crypto: nhpoly1305 - Remove crypto_shash support Date: Wed, 10 Dec 2025 17:18:42 -0800 Message-ID: <20251211011846.8179-11-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Remove nhpoly1305 support from crypto_shash. It no longer has any user now that crypto/adiantum.c no longer uses it. Signed-off-by: Eric Biggers Acked-by: Herbert Xu --- crypto/Kconfig | 6 - crypto/Makefile | 1 - crypto/nhpoly1305.c | 255 ------------------------------------ include/crypto/nhpoly1305.h | 74 ----------- 4 files changed, 336 deletions(-) delete mode 100644 crypto/nhpoly1305.c delete mode 100644 include/crypto/nhpoly1305.h diff --git a/crypto/Kconfig b/crypto/Kconfig index 89d1ccaa1fa0..12a87f7cf150 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -757,16 +757,10 @@ config CRYPTO_XTS =20 Use with aes-xts-plain, key size 256, 384 or 512 bits. This implementation currently can't handle a sectorsize which is not a multiple of 16 bytes. =20 -config CRYPTO_NHPOLY1305 - tristate - select CRYPTO_HASH - select CRYPTO_LIB_POLY1305 - select CRYPTO_LIB_POLY1305_GENERIC - endmenu =20 menu "AEAD (authenticated encryption with associated data) ciphers" =20 config CRYPTO_AEGIS128 diff --git a/crypto/Makefile b/crypto/Makefile index 16a35649dd91..23d3db7be425 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -92,11 +92,10 @@ obj-$(CONFIG_CRYPTO_LRW) +=3D lrw.o obj-$(CONFIG_CRYPTO_XTS) +=3D xts.o obj-$(CONFIG_CRYPTO_CTR) +=3D ctr.o obj-$(CONFIG_CRYPTO_XCTR) +=3D xctr.o obj-$(CONFIG_CRYPTO_HCTR2) +=3D hctr2.o obj-$(CONFIG_CRYPTO_ADIANTUM) +=3D adiantum.o -obj-$(CONFIG_CRYPTO_NHPOLY1305) +=3D nhpoly1305.o obj-$(CONFIG_CRYPTO_GCM) +=3D gcm.o obj-$(CONFIG_CRYPTO_CCM) +=3D ccm.o obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) +=3D chacha20poly1305.o obj-$(CONFIG_CRYPTO_AEGIS128) +=3D aegis128.o aegis128-y :=3D aegis128-core.o diff --git a/crypto/nhpoly1305.c b/crypto/nhpoly1305.c deleted file mode 100644 index 2b648615b5ec..000000000000 --- a/crypto/nhpoly1305.c +++ /dev/null @@ -1,255 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 -/* - * NHPoly1305 - =CE=B5-almost-=E2=88=86-universal hash function for Adiant= um - * - * Copyright 2018 Google LLC - */ - -/* - * "NHPoly1305" is the main component of Adiantum hashing. - * Specifically, it is the calculation - * - * H_L =E2=86=90 Poly1305_{K_L}(NH_{K_N}(pad_{128}(L))) - * - * from the procedure in section 6.4 of the Adiantum paper [1]. It is an - * =CE=B5-almost-=E2=88=86-universal (=CE=B5-=E2=88=86U) hash function for= equal-length inputs over - * Z/(2^{128}Z), where the "=E2=88=86" operation is addition. It hashes 1= 024-byte - * chunks of the input with the NH hash function [2], reducing the input l= ength - * by 32x. The resulting NH digests are evaluated as a polynomial in - * GF(2^{130}-5), like in the Poly1305 MAC [3]. Note that the polynomial - * evaluation by itself would suffice to achieve the =CE=B5-=E2=88=86U pro= perty; NH is used - * for performance since it's over twice as fast as Poly1305. - * - * This is *not* a cryptographic hash function; do not use it as such! - * - * [1] Adiantum: length-preserving encryption for entry-level processors - * (https://eprint.iacr.org/2018/720.pdf) - * [2] UMAC: Fast and Secure Message Authentication - * (https://fastcrypto.org/umac/umac_proc.pdf) - * [3] The Poly1305-AES message-authentication code - * (https://cr.yp.to/mac/poly1305-20050329.pdf) - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -static void nh_generic(const u32 *key, const u8 *message, size_t message_l= en, - __le64 hash[NH_NUM_PASSES]) -{ - u64 sums[4] =3D { 0, 0, 0, 0 }; - - BUILD_BUG_ON(NH_PAIR_STRIDE !=3D 2); - BUILD_BUG_ON(NH_NUM_PASSES !=3D 4); - - while (message_len) { - u32 m0 =3D get_unaligned_le32(message + 0); - u32 m1 =3D get_unaligned_le32(message + 4); - u32 m2 =3D get_unaligned_le32(message + 8); - u32 m3 =3D get_unaligned_le32(message + 12); - - sums[0] +=3D (u64)(u32)(m0 + key[ 0]) * (u32)(m2 + key[ 2]); - sums[1] +=3D (u64)(u32)(m0 + key[ 4]) * (u32)(m2 + key[ 6]); - sums[2] +=3D (u64)(u32)(m0 + key[ 8]) * (u32)(m2 + key[10]); - sums[3] +=3D (u64)(u32)(m0 + key[12]) * (u32)(m2 + key[14]); - sums[0] +=3D (u64)(u32)(m1 + key[ 1]) * (u32)(m3 + key[ 3]); - sums[1] +=3D (u64)(u32)(m1 + key[ 5]) * (u32)(m3 + key[ 7]); - sums[2] +=3D (u64)(u32)(m1 + key[ 9]) * (u32)(m3 + key[11]); - sums[3] +=3D (u64)(u32)(m1 + key[13]) * (u32)(m3 + key[15]); - key +=3D NH_MESSAGE_UNIT / sizeof(key[0]); - message +=3D NH_MESSAGE_UNIT; - message_len -=3D NH_MESSAGE_UNIT; - } - - hash[0] =3D cpu_to_le64(sums[0]); - hash[1] =3D cpu_to_le64(sums[1]); - hash[2] =3D cpu_to_le64(sums[2]); - hash[3] =3D cpu_to_le64(sums[3]); -} - -/* Pass the next NH hash value through Poly1305 */ -static void process_nh_hash_value(struct nhpoly1305_state *state, - const struct nhpoly1305_key *key) -{ - BUILD_BUG_ON(NH_HASH_BYTES % POLY1305_BLOCK_SIZE !=3D 0); - - poly1305_core_blocks(&state->poly_state, &key->poly_key, state->nh_hash, - NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1); -} - -/* - * Feed the next portion of the source data, as a whole number of 16-byte - * "NH message units", through NH and Poly1305. Each NH hash is taken over - * 1024 bytes, except possibly the final one which is taken over a multipl= e of - * 16 bytes up to 1024. Also, in the case where data is passed in misalig= ned - * chunks, we combine partial hashes; the end result is the same either wa= y. - */ -static void nhpoly1305_units(struct nhpoly1305_state *state, - const struct nhpoly1305_key *key, - const u8 *src, unsigned int srclen, nh_t nh_fn) -{ - do { - unsigned int bytes; - - if (state->nh_remaining =3D=3D 0) { - /* Starting a new NH message */ - bytes =3D min_t(unsigned int, srclen, NH_MESSAGE_BYTES); - nh_fn(key->nh_key, src, bytes, state->nh_hash); - state->nh_remaining =3D NH_MESSAGE_BYTES - bytes; - } else { - /* Continuing a previous NH message */ - __le64 tmp_hash[NH_NUM_PASSES]; - unsigned int pos; - int i; - - pos =3D NH_MESSAGE_BYTES - state->nh_remaining; - bytes =3D min(srclen, state->nh_remaining); - nh_fn(&key->nh_key[pos / 4], src, bytes, tmp_hash); - for (i =3D 0; i < NH_NUM_PASSES; i++) - le64_add_cpu(&state->nh_hash[i], - le64_to_cpu(tmp_hash[i])); - state->nh_remaining -=3D bytes; - } - if (state->nh_remaining =3D=3D 0) - process_nh_hash_value(state, key); - src +=3D bytes; - srclen -=3D bytes; - } while (srclen); -} - -int crypto_nhpoly1305_setkey(struct crypto_shash *tfm, - const u8 *key, unsigned int keylen) -{ - struct nhpoly1305_key *ctx =3D crypto_shash_ctx(tfm); - int i; - - if (keylen !=3D NHPOLY1305_KEY_SIZE) - return -EINVAL; - - poly1305_core_setkey(&ctx->poly_key, key); - key +=3D POLY1305_BLOCK_SIZE; - - for (i =3D 0; i < NH_KEY_WORDS; i++) - ctx->nh_key[i] =3D get_unaligned_le32(key + i * sizeof(u32)); - - return 0; -} -EXPORT_SYMBOL(crypto_nhpoly1305_setkey); - -int crypto_nhpoly1305_init(struct shash_desc *desc) -{ - struct nhpoly1305_state *state =3D shash_desc_ctx(desc); - - poly1305_core_init(&state->poly_state); - state->buflen =3D 0; - state->nh_remaining =3D 0; - return 0; -} -EXPORT_SYMBOL(crypto_nhpoly1305_init); - -int crypto_nhpoly1305_update_helper(struct shash_desc *desc, - const u8 *src, unsigned int srclen, - nh_t nh_fn) -{ - struct nhpoly1305_state *state =3D shash_desc_ctx(desc); - const struct nhpoly1305_key *key =3D crypto_shash_ctx(desc->tfm); - unsigned int bytes; - - if (state->buflen) { - bytes =3D min(srclen, (int)NH_MESSAGE_UNIT - state->buflen); - memcpy(&state->buffer[state->buflen], src, bytes); - state->buflen +=3D bytes; - if (state->buflen < NH_MESSAGE_UNIT) - return 0; - nhpoly1305_units(state, key, state->buffer, NH_MESSAGE_UNIT, - nh_fn); - state->buflen =3D 0; - src +=3D bytes; - srclen -=3D bytes; - } - - if (srclen >=3D NH_MESSAGE_UNIT) { - bytes =3D round_down(srclen, NH_MESSAGE_UNIT); - nhpoly1305_units(state, key, src, bytes, nh_fn); - src +=3D bytes; - srclen -=3D bytes; - } - - if (srclen) { - memcpy(state->buffer, src, srclen); - state->buflen =3D srclen; - } - return 0; -} -EXPORT_SYMBOL(crypto_nhpoly1305_update_helper); - -int crypto_nhpoly1305_update(struct shash_desc *desc, - const u8 *src, unsigned int srclen) -{ - return crypto_nhpoly1305_update_helper(desc, src, srclen, nh_generic); -} -EXPORT_SYMBOL(crypto_nhpoly1305_update); - -int crypto_nhpoly1305_final_helper(struct shash_desc *desc, u8 *dst, nh_t = nh_fn) -{ - struct nhpoly1305_state *state =3D shash_desc_ctx(desc); - const struct nhpoly1305_key *key =3D crypto_shash_ctx(desc->tfm); - - if (state->buflen) { - memset(&state->buffer[state->buflen], 0, - NH_MESSAGE_UNIT - state->buflen); - nhpoly1305_units(state, key, state->buffer, NH_MESSAGE_UNIT, - nh_fn); - } - - if (state->nh_remaining) - process_nh_hash_value(state, key); - - poly1305_core_emit(&state->poly_state, NULL, dst); - return 0; -} -EXPORT_SYMBOL(crypto_nhpoly1305_final_helper); - -int crypto_nhpoly1305_final(struct shash_desc *desc, u8 *dst) -{ - return crypto_nhpoly1305_final_helper(desc, dst, nh_generic); -} -EXPORT_SYMBOL(crypto_nhpoly1305_final); - -static struct shash_alg nhpoly1305_alg =3D { - .base.cra_name =3D "nhpoly1305", - .base.cra_driver_name =3D "nhpoly1305-generic", - .base.cra_priority =3D 100, - .base.cra_ctxsize =3D sizeof(struct nhpoly1305_key), - .base.cra_module =3D THIS_MODULE, - .digestsize =3D POLY1305_DIGEST_SIZE, - .init =3D crypto_nhpoly1305_init, - .update =3D crypto_nhpoly1305_update, - .final =3D crypto_nhpoly1305_final, - .setkey =3D crypto_nhpoly1305_setkey, - .descsize =3D sizeof(struct nhpoly1305_state), -}; - -static int __init nhpoly1305_mod_init(void) -{ - return crypto_register_shash(&nhpoly1305_alg); -} - -static void __exit nhpoly1305_mod_exit(void) -{ - crypto_unregister_shash(&nhpoly1305_alg); -} - -module_init(nhpoly1305_mod_init); -module_exit(nhpoly1305_mod_exit); - -MODULE_DESCRIPTION("NHPoly1305 =CE=B5-almost-=E2=88=86-universal hash func= tion"); -MODULE_LICENSE("GPL v2"); -MODULE_AUTHOR("Eric Biggers "); -MODULE_ALIAS_CRYPTO("nhpoly1305"); -MODULE_ALIAS_CRYPTO("nhpoly1305-generic"); diff --git a/include/crypto/nhpoly1305.h b/include/crypto/nhpoly1305.h deleted file mode 100644 index 306925fea190..000000000000 --- a/include/crypto/nhpoly1305.h +++ /dev/null @@ -1,74 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0 */ -/* - * Common values and helper functions for the NHPoly1305 hash function. - */ - -#ifndef _NHPOLY1305_H -#define _NHPOLY1305_H - -#include -#include - -/* NH parameterization: */ - -/* Endianness: little */ -/* Word size: 32 bits (works well on NEON, SSE2, AVX2) */ - -/* Stride: 2 words (optimal on ARM32 NEON; works okay on other CPUs too) */ -#define NH_PAIR_STRIDE 2 -#define NH_MESSAGE_UNIT (NH_PAIR_STRIDE * 2 * sizeof(u32)) - -/* Num passes (Toeplitz iteration count): 4, to give =CE=B5 =3D 2^{-128} */ -#define NH_NUM_PASSES 4 -#define NH_HASH_BYTES (NH_NUM_PASSES * sizeof(u64)) - -/* Max message size: 1024 bytes (32x compression factor) */ -#define NH_NUM_STRIDES 64 -#define NH_MESSAGE_WORDS (NH_PAIR_STRIDE * 2 * NH_NUM_STRIDES) -#define NH_MESSAGE_BYTES (NH_MESSAGE_WORDS * sizeof(u32)) -#define NH_KEY_WORDS (NH_MESSAGE_WORDS + \ - NH_PAIR_STRIDE * 2 * (NH_NUM_PASSES - 1)) -#define NH_KEY_BYTES (NH_KEY_WORDS * sizeof(u32)) - -#define NHPOLY1305_KEY_SIZE (POLY1305_BLOCK_SIZE + NH_KEY_BYTES) - -struct nhpoly1305_key { - struct poly1305_core_key poly_key; - u32 nh_key[NH_KEY_WORDS]; -}; - -struct nhpoly1305_state { - - /* Running total of polynomial evaluation */ - struct poly1305_state poly_state; - - /* Partial block buffer */ - u8 buffer[NH_MESSAGE_UNIT]; - unsigned int buflen; - - /* - * Number of bytes remaining until the current NH message reaches - * NH_MESSAGE_BYTES. When nonzero, 'nh_hash' holds the partial NH hash. - */ - unsigned int nh_remaining; - - __le64 nh_hash[NH_NUM_PASSES]; -}; - -typedef void (*nh_t)(const u32 *key, const u8 *message, size_t message_len, - __le64 hash[NH_NUM_PASSES]); - -int crypto_nhpoly1305_setkey(struct crypto_shash *tfm, - const u8 *key, unsigned int keylen); - -int crypto_nhpoly1305_init(struct shash_desc *desc); -int crypto_nhpoly1305_update(struct shash_desc *desc, - const u8 *src, unsigned int srclen); -int crypto_nhpoly1305_update_helper(struct shash_desc *desc, - const u8 *src, unsigned int srclen, - nh_t nh_fn); -int crypto_nhpoly1305_final(struct shash_desc *desc, u8 *dst); -int crypto_nhpoly1305_final_helper(struct shash_desc *desc, u8 *dst, - nh_t nh_fn); - -#endif /* _NHPOLY1305_H */ --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0A4C271475; Thu, 11 Dec 2025 01:20:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416059; cv=none; b=YQxnAiIAqqspeZxFUBrImlf7khRLqoLHr4JfUHYNzOXMR8rWX4FCgHvTY2GW5b5UKoSqtAq/7Lq7E1l5FHIXOoBZXQ/xS1l5gQIvY5wc5OjBx89wVgAwGQLqM/A4BliHvEMqMzUAJ+SD7EFvMfUIu2dt9Y/MLYw7vR29Fy+IOaw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416059; c=relaxed/simple; bh=syyYRLgHyUi0JiiCrCpgxRqXxuotk9lpbzo59wSLXAI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ibExtXSHwtj01tIe3Dfy3bVQBjRUCD70mznI3AGJlAG1wFPfbYWCGVkl/RUmplqJ+8rkWqHdPB9GGLcCOgGH+qfs0g/Ee6ILQlPJ1kKdMZEpktLd7emP47Dk7Kd3jmbJkfMBOtzBhqsjzqM3+1c8rvjybyWOm/ZD4gDbTVLJH60= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ulvD0KjS; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ulvD0KjS" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6F2E1C19422; Thu, 11 Dec 2025 01:20:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416057; bh=syyYRLgHyUi0JiiCrCpgxRqXxuotk9lpbzo59wSLXAI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ulvD0KjSPqCqpkpRJvbvM0PW7+2iR6umMnQ3jJsenaNm88uHZ3N5HBS0TXVH2tXZb YQnPbHRcdeBQKK9GEbgVihZz5sfEs7qgj4wZ126kH748p9SanyKmXtqWsEDdDNxKqT f7Hva+suZRLYyuqFkbxeLI3LDKXEI5fTQ8+eD21LPE6WRd/0HxFTnnLLJLzWk4t61F oU3Bsy/s9EmacZGJ8x/tsB5oSzdpQ1jOyhcDHnUIFte8t/I5HA7os6bMZMqpTgfdEu UZXHc3y5YHEr4IxC/0o8MYohMJ8jI/bn5sQx/YiwjIYu1xxTfLdroKpmUPUcspy5Bl N2+uCqseT0wJA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 11/12] crypto: testmgr - Remove nhpoly1305 tests Date: Wed, 10 Dec 2025 17:18:43 -0800 Message-ID: <20251211011846.8179-12-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" These are no longer used, since nhpoly1305 support has been removed from the crypto_shash API. Signed-off-by: Eric Biggers Acked-by: Herbert Xu --- crypto/testmgr.c | 6 - crypto/testmgr.h | 1372 ---------------------------------------------- 2 files changed, 1378 deletions(-) diff --git a/crypto/testmgr.c b/crypto/testmgr.c index d9fc671d5941..5df204d9c9dd 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -5170,16 +5170,10 @@ static const struct alg_test_desc alg_test_descs[] = =3D { .alg =3D "michael_mic", .test =3D alg_test_hash, .suite =3D { .hash =3D __VECS(michael_mic_tv_template) } - }, { - .alg =3D "nhpoly1305", - .test =3D alg_test_hash, - .suite =3D { - .hash =3D __VECS(nhpoly1305_tv_template) - } }, { .alg =3D "p1363(ecdsa-nist-p192)", .test =3D alg_test_null, }, { .alg =3D "p1363(ecdsa-nist-p256)", diff --git a/crypto/testmgr.h b/crypto/testmgr.h index 80bf5f1b67a6..1a3329e1c325 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -7597,1382 +7597,10 @@ static const struct hash_testvec hmac_sha3_512_tv= _template[] =3D { "\xd1\xb9\x78\x9f\x97\xae\x5b\x83" "\xc6\xf4\x4d\xfc\xf1\xd6\x7e\xba", }, }; =20 -/* NHPoly1305 test vectors from https://github.com/google/adiantum */ -static const struct hash_testvec nhpoly1305_tv_template[] =3D { - { - .key =3D "\xd2\x5d\x4c\xdd\x8d\x2b\x7f\x7a" - "\xd9\xbe\x71\xec\xd1\x83\x52\xe3" - "\xe1\xad\xd7\x5c\x0a\x75\x9d\xec" - "\x1d\x13\x7e\x5d\x71\x07\xc9\xe4" - "\x57\x2d\x44\x68\xcf\xd8\xd6\xc5" - "\x39\x69\x7d\x32\x75\x51\x4f\x7e" - "\xb2\x4c\xc6\x90\x51\x6e\xd9\xd6" - "\xa5\x8b\x2d\xf1\x94\xf9\xf7\x5e" - "\x2c\x84\x7b\x41\x0f\x88\x50\x89" - "\x30\xd9\xa1\x38\x46\x6c\xc0\x4f" - "\xe8\xdf\xdc\x66\xab\x24\x43\x41" - "\x91\x55\x29\x65\x86\x28\x5e\x45" - "\xd5\x2d\xb7\x80\x08\x9a\xc3\xd4" - "\x9a\x77\x0a\xd4\xef\x3e\xe6\x3f" - "\x6f\x2f\x9b\x3a\x7d\x12\x1e\x80" - "\x6c\x44\xa2\x25\xe1\xf6\x60\xe9" - "\x0d\xaf\xc5\x3c\xa5\x79\xae\x64" - "\xbc\xa0\x39\xa3\x4d\x10\xe5\x4d" - "\xd5\xe7\x89\x7a\x13\xee\x06\x78" - "\xdc\xa4\xdc\x14\x27\xe6\x49\x38" - "\xd0\xe0\x45\x25\x36\xc5\xf4\x79" - "\x2e\x9a\x98\x04\xe4\x2b\x46\x52" - "\x7c\x33\xca\xe2\x56\x51\x50\xe2" - "\xa5\x9a\xae\x18\x6a\x13\xf8\xd2" - "\x21\x31\x66\x02\xe2\xda\x8d\x7e" - "\x41\x19\xb2\x61\xee\x48\x8f\xf1" - "\x65\x24\x2e\x1e\x68\xce\x05\xd9" - "\x2a\xcf\xa5\x3a\x57\xdd\x35\x91" - "\x93\x01\xca\x95\xfc\x2b\x36\x04" - "\xe6\x96\x97\x28\xf6\x31\xfe\xa3" - "\x9d\xf6\x6a\x1e\x80\x8d\xdc\xec" - "\xaf\x66\x11\x13\x02\x88\xd5\x27" - "\x33\xb4\x1a\xcd\xa3\xf6\xde\x31" - "\x8e\xc0\x0e\x6c\xd8\x5a\x97\x5e" - "\xdd\xfd\x60\x69\x38\x46\x3f\x90" - "\x5e\x97\xd3\x32\x76\xc7\x82\x49" - "\xfe\xba\x06\x5f\x2f\xa2\xfd\xff" - "\x80\x05\x40\xe4\x33\x03\xfb\x10" - "\xc0\xde\x65\x8c\xc9\x8d\x3a\x9d" - "\xb5\x7b\x36\x4b\xb5\x0c\xcf\x00" - "\x9c\x87\xe4\x49\xad\x90\xda\x4a" - "\xdd\xbd\xff\xe2\x32\x57\xd6\x78" - "\x36\x39\x6c\xd3\x5b\x9b\x88\x59" - "\x2d\xf0\x46\xe4\x13\x0e\x2b\x35" - "\x0d\x0f\x73\x8a\x4f\x26\x84\x75" - "\x88\x3c\xc5\x58\x66\x18\x1a\xb4" - "\x64\x51\x34\x27\x1b\xa4\x11\xc9" - "\x6d\x91\x8a\xfa\x32\x60\x9d\xd7" - "\x87\xe5\xaa\x43\x72\xf8\xda\xd1" - "\x48\x44\x13\x61\xdc\x8c\x76\x17" - "\x0c\x85\x4e\xf3\xdd\xa2\x42\xd2" - "\x74\xc1\x30\x1b\xeb\x35\x31\x29" - "\x5b\xd7\x4c\x94\x46\x35\xa1\x23" - "\x50\xf2\xa2\x8e\x7e\x4f\x23\x4f" - "\x51\xff\xe2\xc9\xa3\x7d\x56\x8b" - "\x41\xf2\xd0\xc5\x57\x7e\x59\xac" - "\xbb\x65\xf3\xfe\xf7\x17\xef\x63" - "\x7c\x6f\x23\xdd\x22\x8e\xed\x84" - "\x0e\x3b\x09\xb3\xf3\xf4\x8f\xcd" - "\x37\xa8\xe1\xa7\x30\xdb\xb1\xa2" - "\x9c\xa2\xdf\x34\x17\x3e\x68\x44" - "\xd0\xde\x03\x50\xd1\x48\x6b\x20" - "\xe2\x63\x45\xa5\xea\x87\xc2\x42" - "\x95\x03\x49\x05\xed\xe0\x90\x29" - "\x1a\xb8\xcf\x9b\x43\xcf\x29\x7a" - "\x63\x17\x41\x9f\xe0\xc9\x10\xfd" - "\x2c\x56\x8c\x08\x55\xb4\xa9\x27" - "\x0f\x23\xb1\x05\x6a\x12\x46\xc7" - "\xe1\xfe\x28\x93\x93\xd7\x2f\xdc" - "\x98\x30\xdb\x75\x8a\xbe\x97\x7a" - "\x02\xfb\x8c\xba\xbe\x25\x09\xbe" - "\xce\xcb\xa2\xef\x79\x4d\x0e\x9d" - "\x1b\x9d\xb6\x39\x34\x38\xfa\x07" - "\xec\xe8\xfc\x32\x85\x1d\xf7\x85" - "\x63\xc3\x3c\xc0\x02\x75\xd7\x3f" - "\xb2\x68\x60\x66\x65\x81\xc6\xb1" - "\x42\x65\x4b\x4b\x28\xd7\xc7\xaa" - "\x9b\xd2\xdc\x1b\x01\xe0\x26\x39" - "\x01\xc1\x52\x14\xd1\x3f\xb7\xe6" - "\x61\x41\xc7\x93\xd2\xa2\x67\xc6" - "\xf7\x11\xb5\xf5\xea\xdd\x19\xfb" - "\x4d\x21\x12\xd6\x7d\xf1\x10\xb0" - "\x89\x07\xc7\x5a\x52\x73\x70\x2f" - "\x32\xef\x65\x2b\x12\xb2\xf0\xf5" - "\x20\xe0\x90\x59\x7e\x64\xf1\x4c" - "\x41\xb3\xa5\x91\x08\xe6\x5e\x5f" - "\x05\x56\x76\xb4\xb0\xcd\x70\x53" - "\x10\x48\x9c\xff\xc2\x69\x55\x24" - "\x87\xef\x84\xea\xfb\xa7\xbf\xa0" - "\x91\x04\xad\x4f\x8b\x57\x54\x4b" - "\xb6\xe9\xd1\xac\x37\x2f\x1d\x2e" - "\xab\xa5\xa4\xe8\xff\xfb\xd9\x39" - "\x2f\xb7\xac\xd1\xfe\x0b\x9a\x80" - "\x0f\xb6\xf4\x36\x39\x90\x51\xe3" - "\x0a\x2f\xb6\x45\x76\x89\xcd\x61" - "\xfe\x48\x5f\x75\x1d\x13\x00\x62" - "\x80\x24\x47\xe7\xbc\x37\xd7\xe3" - "\x15\xe8\x68\x22\xaf\x80\x6f\x4b" - "\xa8\x9f\x01\x10\x48\x14\xc3\x02" - "\x52\xd2\xc7\x75\x9b\x52\x6d\x30" - "\xac\x13\x85\xc8\xf7\xa3\x58\x4b" - "\x49\xf7\x1c\x45\x55\x8c\x39\x9a" - "\x99\x6d\x97\x27\x27\xe6\xab\xdd" - "\x2c\x42\x1b\x35\xdd\x9d\x73\xbb" - "\x6c\xf3\x64\xf1\xfb\xb9\xf7\xe6" - "\x4a\x3c\xc0\x92\xc0\x2e\xb7\x1a" - "\xbe\xab\xb3\x5a\xe5\xea\xb1\x48" - "\x58\x13\x53\x90\xfd\xc3\x8e\x54" - "\xf9\x18\x16\x73\xe8\xcb\x6d\x39" - "\x0e\xd7\xe0\xfe\xb6\x9f\x43\x97" - "\xe8\xd0\x85\x56\x83\x3e\x98\x68" - "\x7f\xbd\x95\xa8\x9a\x61\x21\x8f" - "\x06\x98\x34\xa6\xc8\xd6\x1d\xf3" - "\x3d\x43\xa4\x9a\x8c\xe5\xd3\x5a" - "\x32\xa2\x04\x22\xa4\x19\x1a\x46" - "\x42\x7e\x4d\xe5\xe0\xe6\x0e\xca" - "\xd5\x58\x9d\x2c\xaf\xda\x33\x5c" - "\xb0\x79\x9e\xc9\xfc\xca\xf0\x2f" - "\xa8\xb2\x77\xeb\x7a\xa2\xdd\x37" - "\x35\x83\x07\xd6\x02\x1a\xb6\x6c" - "\x24\xe2\x59\x08\x0e\xfd\x3e\x46" - "\xec\x40\x93\xf4\x00\x26\x4f\x2a" - "\xff\x47\x2f\xeb\x02\x92\x26\x5b" - "\x53\x17\xc2\x8d\x2a\xc7\xa3\x1b" - "\xcd\xbc\xa7\xe8\xd1\x76\xe3\x80" - "\x21\xca\x5d\x3b\xe4\x9c\x8f\xa9" - "\x5b\x7f\x29\x7f\x7c\xd8\xed\x6d" - "\x8c\xb2\x86\x85\xe7\x77\xf2\x85" - "\xab\x38\xa9\x9d\xc1\x4e\xc5\x64" - "\x33\x73\x8b\x59\x03\xad\x05\xdf" - "\x25\x98\x31\xde\xef\x13\xf1\x9b" - "\x3c\x91\x9d\x7b\xb1\xfa\xe6\xbf" - "\x5b\xed\xa5\x55\xe6\xea\x6c\x74" - "\xf4\xb9\xe4\x45\x64\x72\x81\xc2" - "\x4c\x28\xd4\xcd\xac\xe2\xde\xf9" - "\xeb\x5c\xeb\x61\x60\x5a\xe5\x28", - .ksize =3D 1088, - .plaintext =3D "", - .psize =3D 0, - .digest =3D "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - }, { - .key =3D "\x29\x21\x43\xcb\xcb\x13\x07\xde" - "\xbf\x48\xdf\x8a\x7f\xa2\x84\xde" - "\x72\x23\x9d\xf5\xf0\x07\xf2\x4c" - "\x20\x3a\x93\xb9\xcd\x5d\xfe\xcb" - "\x99\x2c\x2b\x58\xc6\x50\x5f\x94" - "\x56\xc3\x7c\x0d\x02\x3f\xb8\x5e" - "\x7b\xc0\x6c\x51\x34\x76\xc0\x0e" - "\xc6\x22\xc8\x9e\x92\xa0\x21\xc9" - "\x85\x5c\x7c\xf8\xe2\x64\x47\xc9" - "\xe4\xa2\x57\x93\xf8\xa2\x69\xcd" - "\x62\x98\x99\xf4\xd7\x7b\x14\xb1" - "\xd8\x05\xff\x04\x15\xc9\xe1\x6e" - "\x9b\xe6\x50\x6b\x0b\x3f\x22\x1f" - "\x08\xde\x0c\x5b\x08\x7e\xc6\x2f" - "\x6c\xed\xd6\xb2\x15\xa4\xb3\xf9" - "\xa7\x46\x38\x2a\xea\x69\xa5\xde" - "\x02\xc3\x96\x89\x4d\x55\x3b\xed" - "\x3d\x3a\x85\x77\xbf\x97\x45\x5c" - "\x9e\x02\x69\xe2\x1b\x68\xbe\x96" - "\xfb\x64\x6f\x0f\xf6\x06\x40\x67" - "\xfa\x04\xe3\x55\xfa\xbe\xa4\x60" - "\xef\x21\x66\x97\xe6\x9d\x5c\x1f" - "\x62\x37\xaa\x31\xde\xe4\x9c\x28" - "\x95\xe0\x22\x86\xf4\x4d\xf3\x07" - "\xfd\x5f\x3a\x54\x2c\x51\x80\x71" - "\xba\x78\x69\x5b\x65\xab\x1f\x81" - "\xed\x3b\xff\x34\xa3\xfb\xbc\x73" - "\x66\x7d\x13\x7f\xdf\x6e\xe2\xe2" - "\xeb\x4f\x6c\xda\x7d\x33\x57\xd0" - "\xd3\x7c\x95\x4f\x33\x58\x21\xc7" - "\xc0\xe5\x6f\x42\x26\xc6\x1f\x5e" - "\x85\x1b\x98\x9a\xa2\x1e\x55\x77" - "\x23\xdf\x81\x5e\x79\x55\x05\xfc" - "\xfb\xda\xee\xba\x5a\xba\xf7\x77" - "\x7f\x0e\xd3\xe1\x37\xfe\x8d\x2b" - "\xd5\x3f\xfb\xd0\xc0\x3c\x0b\x3f" - "\xcf\x3c\x14\xcf\xfb\x46\x72\x4c" - "\x1f\x39\xe2\xda\x03\x71\x6d\x23" - "\xef\x93\xcd\x39\xd9\x37\x80\x4d" - "\x65\x61\xd1\x2c\x03\xa9\x47\x72" - "\x4d\x1e\x0e\x16\x33\x0f\x21\x17" - "\xec\x92\xea\x6f\x37\x22\xa4\xd8" - "\x03\x33\x9e\xd8\x03\x69\x9a\xe8" - "\xb2\x57\xaf\x78\x99\x05\x12\xab" - "\x48\x90\x80\xf0\x12\x9b\x20\x64" - "\x7a\x1d\x47\x5f\xba\x3c\xf9\xc3" - "\x0a\x0d\x8d\xa1\xf9\x1b\x82\x13" - "\x3e\x0d\xec\x0a\x83\xc0\x65\xe1" - "\xe9\x95\xff\x97\xd6\xf2\xe4\xd5" - "\x86\xc0\x1f\x29\x27\x63\xd7\xde" - "\xb7\x0a\x07\x99\x04\x2d\xa3\x89" - "\xa2\x43\xcf\xf3\xe1\x43\xac\x4a" - "\x06\x97\xd0\x05\x4f\x87\xfa\xf9" - "\x9b\xbf\x52\x70\xbd\xbc\x6c\xf3" - "\x03\x13\x60\x41\x28\x09\xec\xcc" - "\xb1\x1a\xec\xd6\xfb\x6f\x2a\x89" - "\x5d\x0b\x53\x9c\x59\xc1\x84\x21" - "\x33\x51\x47\x19\x31\x9c\xd4\x0a" - "\x4d\x04\xec\x50\x90\x61\xbd\xbc" - "\x7e\xc8\xd9\x6c\x98\x1d\x45\x41" - "\x17\x5e\x97\x1c\xc5\xa8\xe8\xea" - "\x46\x58\x53\xf7\x17\xd5\xad\x11" - "\xc8\x54\xf5\x7a\x33\x90\xf5\x19" - "\xba\x36\xb4\xfc\x52\xa5\x72\x3d" - "\x14\xbb\x55\xa7\xe9\xe3\x12\xf7" - "\x1c\x30\xa2\x82\x03\xbf\x53\x91" - "\x2e\x60\x41\x9f\x5b\x69\x39\xf6" - "\x4d\xc8\xf8\x46\x7a\x7f\xa4\x98" - "\x36\xff\x06\xcb\xca\xe7\x33\xf2" - "\xc0\x4a\xf4\x3c\x14\x44\x5f\x6b" - "\x75\xef\x02\x36\x75\x08\x14\xfd" - "\x10\x8e\xa5\x58\xd0\x30\x46\x49" - "\xaf\x3a\xf8\x40\x3d\x35\xdb\x84" - "\x11\x2e\x97\x6a\xb7\x87\x7f\xad" - "\xf1\xfa\xa5\x63\x60\xd8\x5e\xbf" - "\x41\x78\x49\xcf\x77\xbb\x56\xbb" - "\x7d\x01\x67\x05\x22\xc8\x8f\x41" - "\xba\x81\xd2\xca\x2c\x38\xac\x76" - "\x06\xc1\x1a\xc2\xce\xac\x90\x67" - "\x57\x3e\x20\x12\x5b\xd9\x97\x58" - "\x65\x05\xb7\x04\x61\x7e\xd8\x3a" - "\xbf\x55\x3b\x13\xe9\x34\x5a\x37" - "\x36\xcb\x94\x45\xc5\x32\xb3\xa0" - "\x0c\x3e\x49\xc5\xd3\xed\xa7\xf0" - "\x1c\x69\xcc\xea\xcc\x83\xc9\x16" - "\x95\x72\x4b\xf4\x89\xd5\xb9\x10" - "\xf6\x2d\x60\x15\xea\x3c\x06\x66" - "\x9f\x82\xad\x17\xce\xd2\xa4\x48" - "\x7c\x65\xd9\xf8\x02\x4d\x9b\x4c" - "\x89\x06\x3a\x34\x85\x48\x89\x86" - "\xf9\x24\xa9\x54\x72\xdb\x44\x95" - "\xc7\x44\x1c\x19\x11\x4c\x04\xdc" - "\x13\xb9\x67\xc8\xc3\x3a\x6a\x50" - "\xfa\xd1\xfb\xe1\x88\xb6\xf1\xa3" - "\xc5\x3b\xdc\x38\x45\x16\x26\x02" - "\x3b\xb8\x8f\x8b\x58\x7d\x23\x04" - "\x50\x6b\x81\x9f\xae\x66\xac\x6f" - "\xcf\x2a\x9d\xf1\xfd\x1d\x57\x07" - "\xbe\x58\xeb\x77\x0c\xe3\xc2\x19" - "\x14\x74\x1b\x51\x1c\x4f\x41\xf3" - "\x32\x89\xb3\xe7\xde\x62\xf6\x5f" - "\xc7\x6a\x4a\x2a\x5b\x0f\x5f\x87" - "\x9c\x08\xb9\x02\x88\xc8\x29\xb7" - "\x94\x52\xfa\x52\xfe\xaa\x50\x10" - "\xba\x48\x75\x5e\x11\x1b\xe6\x39" - "\xd7\x82\x2c\x87\xf1\x1e\xa4\x38" - "\x72\x3e\x51\xe7\xd8\x3e\x5b\x7b" - "\x31\x16\x89\xba\xd6\xad\x18\x5e" - "\xba\xf8\x12\xb3\xf4\x6c\x47\x30" - "\xc0\x38\x58\xb3\x10\x8d\x58\x5d" - "\xb4\xfb\x19\x7e\x41\xc3\x66\xb8" - "\xd6\x72\x84\xe1\x1a\xc2\x71\x4c" - "\x0d\x4a\x21\x7a\xab\xa2\xc0\x36" - "\x15\xc5\xe9\x46\xd7\x29\x17\x76" - "\x5e\x47\x36\x7f\x72\x05\xa7\xcc" - "\x36\x63\xf9\x47\x7d\xe6\x07\x3c" - "\x8b\x79\x1d\x96\x61\x8d\x90\x65" - "\x7c\xf5\xeb\x4e\x6e\x09\x59\x6d" - "\x62\x50\x1b\x0f\xe0\xdc\x78\xf2" - "\x5b\x83\x1a\xa1\x11\x75\xfd\x18" - "\xd7\xe2\x8d\x65\x14\x21\xce\xbe" - "\xb5\x87\xe3\x0a\xda\x24\x0a\x64" - "\xa9\x9f\x03\x8d\x46\x5d\x24\x1a" - "\x8a\x0c\x42\x01\xca\xb1\x5f\x7c" - "\xa5\xac\x32\x4a\xb8\x07\x91\x18" - "\x6f\xb0\x71\x3c\xc9\xb1\xa8\xf8" - "\x5f\x69\xa5\xa1\xca\x9e\x7a\xaa" - "\xac\xe9\xc7\x47\x41\x75\x25\xc3" - "\x73\xe2\x0b\xdd\x6d\x52\x71\xbe" - "\xc5\xdc\xb4\xe7\x01\x26\x53\x77" - "\x86\x90\x85\x68\x6b\x7b\x03\x53" - "\xda\x52\x52\x51\x68\xc8\xf3\xec" - "\x6c\xd5\x03\x7a\xa3\x0e\xb4\x02" - "\x5f\x1a\xab\xee\xca\x67\x29\x7b" - "\xbd\x96\x59\xb3\x8b\x32\x7a\x92" - "\x9f\xd8\x25\x2b\xdf\xc0\x4c\xda", - .ksize =3D 1088, - .plaintext =3D "\xbc\xda\x81\xa8\x78\x79\x1c\xbf" - "\x77\x53\xba\x4c\x30\x5b\xb8\x33", - .psize =3D 16, - .digest =3D "\x04\xbf\x7f\x6a\xce\x72\xea\x6a" - "\x79\xdb\xb0\xc9\x60\xf6\x12\xcc", - }, { - .key =3D "\x2e\x77\x1e\x2c\x63\x76\x34\x3f" - "\x71\x08\x4f\x5a\xe3\x3d\x74\x56" - "\xc7\x98\x46\x52\xe5\x8a\xba\x0d" - "\x72\x41\x11\x15\x14\x72\x50\x8a" - "\xd5\xec\x60\x09\xdd\x71\xcc\xb9" - "\x59\x81\x65\x2d\x9e\x50\x18\xf3" - "\x32\xf3\xf1\xe7\x01\x82\x1c\xad" - "\x88\xa0\x21\x0c\x4b\x80\x5e\x62" - "\xfc\x81\xec\x52\xaa\xe4\xa5\x86" - "\xc2\xe6\x03\x11\xdc\x66\x09\x86" - "\x3c\x3b\xf0\x59\x0f\xb3\xf7\x44" - "\x24\xb7\x88\xc5\xfc\xc8\x77\x9f" - "\x8c\x44\xc4\x11\x55\xce\x7a\xa3" - "\xe0\xa2\xb8\xbf\xb5\x3d\x07\x2c" - "\x32\xb6\x6c\xfc\xb4\x42\x95\x95" - "\x98\x32\x81\xc4\xe7\xe2\xd9\x6a" - "\x87\xf4\xf4\x1e\x74\x7c\xb5\xcd" - "\x51\x45\x68\x38\x51\xdb\x30\x74" - "\x11\xe0\xaa\xae\x19\x8f\x15\x55" - "\xdd\x47\x4a\x35\xb9\x0c\xb4\x4e" - "\xa9\xce\x2f\xfa\x8f\xc1\x8a\x5e" - "\x5b\xec\xa5\x81\x3b\xb3\x43\x06" - "\x24\x81\xf4\x24\xe2\x21\xfa\xcb" - "\x49\xa8\xf8\xbd\x31\x4a\x5b\x2d" - "\x64\x0a\x07\xf0\x80\xc9\x0d\x81" - "\x14\x58\x54\x2b\xba\x22\x31\xba" - "\xef\x66\xc9\x49\x69\x69\x83\x0d" - "\xf2\xf9\x80\x9d\x30\x36\xfb\xe3" - "\xc0\x72\x2b\xcc\x5a\x81\x2c\x5d" - "\x3b\x5e\xf8\x2b\xd3\x14\x28\x73" - "\xf9\x1c\x70\xe6\xd8\xbb\xac\x30" - "\xf9\xd9\xa0\xe2\x33\x7c\x33\x34" - "\xa5\x6a\x77\x6d\xd5\xaf\xf4\xf3" - "\xc7\xb3\x0e\x83\x3d\xcb\x01\xcc" - "\x81\xc0\xf9\x4a\xae\x36\x92\xf7" - "\x69\x7b\x65\x01\xc3\xc8\xb8\xae" - "\x16\xd8\x30\xbb\xba\x6d\x78\x6e" - "\x0d\xf0\x7d\x84\xb7\x87\xda\x28" - "\x7a\x18\x10\x0b\x29\xec\x29\xf3" - "\xb0\x7b\xa1\x28\xbf\xbc\x2b\x2c" - "\x92\x2c\x16\xfb\x02\x39\xf9\xa6" - "\xa2\x15\x05\xa6\x72\x10\xbc\x62" - "\x4a\x6e\xb8\xb5\x5d\x59\xae\x3c" - "\x32\xd3\x68\xd7\x8e\x5a\xcd\x1b" - "\xef\xf6\xa7\x5e\x10\x51\x15\x4b" - "\x2c\xe3\xba\x70\x4f\x2c\xa0\x1c" - "\x7b\x97\xd7\xb2\xa5\x05\x17\xcc" - "\xf7\x3a\x29\x6f\xd5\x4b\xb8\x24" - "\xf4\x65\x95\x12\xc0\x86\xd1\x64" - "\x81\xdf\x46\x55\x0d\x22\x06\x77" - "\xd8\xca\x8d\xc8\x87\xc3\xfa\xb9" - "\xe1\x98\x94\xe6\x7b\xed\x65\x66" - "\x0e\xc7\x25\x15\xee\x4a\xe6\x7e" - "\xea\x1b\x58\xee\x96\xa0\x75\x9a" - "\xa3\x00\x9e\x42\xc2\x26\x20\x8c" - "\x3d\x22\x1f\x94\x3e\x74\x43\x72" - "\xe9\x1d\xa6\xa1\x6c\xa7\xb8\x03" - "\xdf\xb9\x7a\xaf\xe9\xe9\x3b\xfe" - "\xdf\x91\xc1\x01\xa8\xba\x5d\x29" - "\xa5\xe0\x98\x9b\x13\xe5\x13\x11" - "\x7c\x04\x3a\xe8\x44\x7e\x78\xfc" - "\xd6\x96\xa8\xbc\x7d\xc1\x89\x3d" - "\x75\x64\xa9\x0e\x86\x33\xfb\x73" - "\xf7\x15\xbc\x2c\x9a\x3f\x29\xce" - "\x1c\x9d\x10\x4e\x85\xe1\x77\x41" - "\x01\xe2\xbc\x88\xec\x81\xef\xc2" - "\x6a\xed\x4f\xf7\xdf\xac\x10\x71" - "\x94\xed\x71\xa4\x01\xd4\xd6\xbe" - "\xfe\x3e\xc3\x92\x6a\xf2\x2b\xb5" - "\xab\x15\x96\xb7\x88\x2c\xc2\xe1" - "\xb0\x04\x22\xe7\x3d\xa9\xc9\x7d" - "\x2c\x7c\x21\xff\x97\x86\x6b\x0c" - "\x2b\x5b\xe0\xb6\x48\x74\x8f\x24" - "\xef\x8e\xdd\x0f\x2a\x5f\xff\x33" - "\xf4\x8e\xc5\xeb\x9c\xd7\x2a\x45" - "\xf3\x50\xf1\xc0\x91\x8f\xc7\xf9" - "\x97\xc1\x3c\x9c\xf4\xed\x8a\x23" - "\x61\x5b\x40\x1a\x09\xee\x23\xa8" - "\x7c\x7a\x96\xe1\x31\x55\x3d\x12" - "\x04\x1f\x21\x78\x72\xf0\x0f\xa5" - "\x80\x58\x7c\x2f\x37\xb5\x67\x24" - "\x2f\xce\xf9\xf6\x86\x9f\xb3\x34" - "\x0c\xfe\x0a\xaf\x27\xe6\x5e\x0a" - "\x21\x44\x68\xe1\x5d\x84\x25\xae" - "\x2c\x5a\x94\x66\x9a\x3f\x0e\x5a" - "\xd0\x60\x2a\xd5\x3a\x4e\x2f\x40" - "\x87\xe9\x27\x3e\xee\x92\xe1\x07" - "\x22\x43\x52\xed\x67\x49\x13\xdd" - "\x68\xd7\x54\xc2\x76\x72\x7e\x75" - "\xaf\x24\x98\x5c\xe8\x22\xaa\x35" - "\x0f\x9a\x1c\x4c\x0b\x43\x68\x99" - "\x45\xdd\xbf\x82\xa5\x6f\x0a\xef" - "\x44\x90\x85\xe7\x57\x23\x22\x41" - "\x2e\xda\x24\x28\x65\x7f\x96\x85" - "\x9f\x4b\x0d\x43\xb9\xa8\xbd\x84" - "\xad\x0b\x09\xcc\x2c\x4a\x0c\xec" - "\x71\x58\xba\xf1\xfc\x49\x4c\xca" - "\x5c\x5d\xb2\x77\x0c\x99\xae\x1c" - "\xce\x70\x05\x5b\x73\x6b\x7c\x28" - "\x3b\xeb\x21\x3f\xa3\x71\xe1\x6a" - "\xf4\x87\xd0\xbf\x73\xaa\x0b\x0b" - "\xed\x70\xb3\xd4\xa3\xca\x76\x3a" - "\xdb\xfa\xd8\x08\x95\xec\xac\x59" - "\xd0\x79\x90\xc2\x33\x7b\xcc\x28" - "\x65\xb6\x5f\x92\xc4\xac\x23\x40" - "\xd1\x20\x44\x1f\xd7\x29\xab\x46" - "\x79\x32\xc6\x8f\x79\xe5\xaa\x2c" - "\xa6\x76\x70\x3a\x9e\x46\x3f\x8c" - "\x1a\x89\x32\x28\x61\x5c\xcf\x93" - "\x1e\xde\x9e\x98\xbe\x06\x30\x23" - "\xc4\x8b\xda\x1c\xd1\x67\x46\x93" - "\x9d\x41\xa2\x8c\x03\x22\xbd\x55" - "\x7e\x91\x51\x13\xdc\xcf\x5c\x1e" - "\xcb\x5d\xfb\x14\x16\x1a\x44\x56" - "\x27\x77\xfd\xed\x7d\xbd\xd1\x49" - "\x7f\x0d\xc3\x59\x48\x6b\x3c\x02" - "\x6b\xb5\xd0\x83\xd5\x81\x29\xe7" - "\xe0\xc9\x36\x23\x8d\x41\x33\x77" - "\xff\x5f\x54\xde\x4d\x3f\xd2\x4e" - "\xb6\x4d\xdd\x85\xf8\x9b\x20\x7d" - "\x39\x27\x68\x63\xd3\x8e\x61\x39" - "\xfa\xe1\xc3\x04\x74\x27\x5a\x34" - "\x7f\xec\x59\x2d\xc5\x6e\x54\x23" - "\xf5\x7b\x4b\xbe\x58\x2b\xf2\x81" - "\x93\x63\xcc\x13\xd9\x90\xbb\x6a" - "\x41\x03\x8d\x95\xeb\xbb\x5d\x06" - "\x38\x4c\x0e\xd6\xa9\x5b\x84\x97" - "\x3e\x64\x72\xe9\x96\x07\x0f\x73" - "\x6e\xc6\x3b\x32\xbe\xac\x13\x14" - "\xd0\x0a\x17\x5f\xb9\x9c\x3e\x34" - "\xd9\xec\xd6\x8f\x89\xbf\x1e\xd3" - "\xda\x80\xb2\x29\xff\x28\x96\xb3" - "\x46\x50\x5b\x15\x80\x97\xee\x1f" - "\x6c\xd8\xe8\xe0\xbd\x09\xe7\x20" - "\x8c\x23\x8e\xd9\xbb\x92\xfa\x82" - "\xaa\x0f\xb5\xf8\x78\x60\x11\xf0", - .ksize =3D 1088, - .plaintext =3D "\x0b\xb2\x31\x2d\xad\xfe\xce\xf9" - "\xec\x5d\x3d\x64\x5f\x3f\x75\x43" - "\x05\x5b\x97", - .psize =3D 19, - .digest =3D "\x5f\x02\xae\x65\x6c\x13\x21\x67" - "\x77\x9e\xc4\x43\x58\x68\xde\x8f", - }, { - .key =3D "\x65\x4d\xe3\xf8\xd2\x4c\xac\x28" - "\x68\xf5\xb3\x81\x71\x4b\xa1\xfa" - "\x04\x0e\xd3\x81\x36\xbe\x0c\x81" - "\x5e\xaf\xbc\x3a\xa4\xc0\x8e\x8b" - "\x55\x63\xd3\x52\x97\x88\xd6\x19" - "\xbc\x96\xdf\x49\xff\x04\x63\xf5" - "\x0c\x11\x13\xaa\x9e\x1f\x5a\xf7" - "\xdd\xbd\x37\x80\xc3\xd0\xbe\xa7" - "\x05\xc8\x3c\x98\x1e\x05\x3c\x84" - "\x39\x61\xc4\xed\xed\x71\x1b\xc4" - "\x74\x45\x2c\xa1\x56\x70\x97\xfd" - "\x44\x18\x07\x7d\xca\x60\x1f\x73" - "\x3b\x6d\x21\xcb\x61\x87\x70\x25" - "\x46\x21\xf1\x1f\x21\x91\x31\x2d" - "\x5d\xcc\xb7\xd1\x84\x3e\x3d\xdb" - "\x03\x53\x2a\x82\xa6\x9a\x95\xbc" - "\x1a\x1e\x0a\x5e\x07\x43\xab\x43" - "\xaf\x92\x82\x06\x91\x04\x09\xf4" - "\x17\x0a\x9a\x2c\x54\xdb\xb8\xf4" - "\xd0\xf0\x10\x66\x24\x8d\xcd\xda" - "\xfe\x0e\x45\x9d\x6f\xc4\x4e\xf4" - "\x96\xaf\x13\xdc\xa9\xd4\x8c\xc4" - "\xc8\x57\x39\x3c\xc2\xd3\x0a\x76" - "\x4a\x1f\x75\x83\x44\xc7\xd1\x39" - "\xd8\xb5\x41\xba\x73\x87\xfa\x96" - "\xc7\x18\x53\xfb\x9b\xda\xa0\x97" - "\x1d\xee\x60\x85\x9e\x14\xc3\xce" - "\xc4\x05\x29\x3b\x95\x30\xa3\xd1" - "\x9f\x82\x6a\x04\xf5\xa7\x75\x57" - "\x82\x04\xfe\x71\x51\x71\xb1\x49" - "\x50\xf8\xe0\x96\xf1\xfa\xa8\x88" - "\x3f\xa0\x86\x20\xd4\x60\x79\x59" - "\x17\x2d\xd1\x09\xf4\xec\x05\x57" - "\xcf\x62\x7e\x0e\x7e\x60\x78\xe6" - "\x08\x60\x29\xd8\xd5\x08\x1a\x24" - "\xc4\x6c\x24\xe7\x92\x08\x3d\x8a" - "\x98\x7a\xcf\x99\x0a\x65\x0e\xdc" - "\x8c\x8a\xbe\x92\x82\x91\xcc\x62" - "\x30\xb6\xf4\x3f\xc6\x8a\x7f\x12" - "\x4a\x8a\x49\xfa\x3f\x5c\xd4\x5a" - "\xa6\x82\xa3\xe6\xaa\x34\x76\xb2" - "\xab\x0a\x30\xef\x6c\x77\x58\x3f" - "\x05\x6b\xcc\x5c\xae\xdc\xd7\xb9" - "\x51\x7e\x8d\x32\x5b\x24\x25\xbe" - "\x2b\x24\x01\xcf\x80\xda\x16\xd8" - "\x90\x72\x2c\xad\x34\x8d\x0c\x74" - "\x02\xcb\xfd\xcf\x6e\xef\x97\xb5" - "\x4c\xf2\x68\xca\xde\x43\x9e\x8a" - "\xc5\x5f\x31\x7f\x14\x71\x38\xec" - "\xbd\x98\xe5\x71\xc4\xb5\xdb\xef" - "\x59\xd2\xca\xc0\xc1\x86\x75\x01" - "\xd4\x15\x0d\x6f\xa4\xf7\x7b\x37" - "\x47\xda\x18\x93\x63\xda\xbe\x9e" - "\x07\xfb\xb2\x83\xd5\xc4\x34\x55" - "\xee\x73\xa1\x42\x96\xf9\x66\x41" - "\xa4\xcc\xd2\x93\x6e\xe1\x0a\xbb" - "\xd2\xdd\x18\x23\xe6\x6b\x98\x0b" - "\x8a\x83\x59\x2c\xc3\xa6\x59\x5b" - "\x01\x22\x59\xf7\xdc\xb0\x87\x7e" - "\xdb\x7d\xf4\x71\x41\xab\xbd\xee" - "\x79\xbe\x3c\x01\x76\x0b\x2d\x0a" - "\x42\xc9\x77\x8c\xbb\x54\x95\x60" - "\x43\x2e\xe0\x17\x52\xbd\x90\xc9" - "\xc2\x2c\xdd\x90\x24\x22\x76\x40" - "\x5c\xb9\x41\xc9\xa1\xd5\xbd\xe3" - "\x44\xe0\xa4\xab\xcc\xb8\xe2\x32" - "\x02\x15\x04\x1f\x8c\xec\x5d\x14" - "\xac\x18\xaa\xef\x6e\x33\x19\x6e" - "\xde\xfe\x19\xdb\xeb\x61\xca\x18" - "\xad\xd8\x3d\xbf\x09\x11\xc7\xa5" - "\x86\x0b\x0f\xe5\x3e\xde\xe8\xd9" - "\x0a\x69\x9e\x4c\x20\xff\xf9\xc5" - "\xfa\xf8\xf3\x7f\xa5\x01\x4b\x5e" - "\x0f\xf0\x3b\x68\xf0\x46\x8c\x2a" - "\x7a\xc1\x8f\xa0\xfe\x6a\x5b\x44" - "\x70\x5c\xcc\x92\x2c\x6f\x0f\xbd" - "\x25\x3e\xb7\x8e\x73\x58\xda\xc9" - "\xa5\xaa\x9e\xf3\x9b\xfd\x37\x3e" - "\xe2\x88\xa4\x7b\xc8\x5c\xa8\x93" - "\x0e\xe7\x9a\x9c\x2e\x95\x18\x9f" - "\xc8\x45\x0c\x88\x9e\x53\x4f\x3a" - "\x76\xc1\x35\xfa\x17\xd8\xac\xa0" - "\x0c\x2d\x47\x2e\x4f\x69\x9b\xf7" - "\xd0\xb6\x96\x0c\x19\xb3\x08\x01" - "\x65\x7a\x1f\xc7\x31\x86\xdb\xc8" - "\xc1\x99\x8f\xf8\x08\x4a\x9d\x23" - "\x22\xa8\xcf\x27\x01\x01\x88\x93" - "\x9c\x86\x45\xbd\xe0\x51\xca\x52" - "\x84\xba\xfe\x03\xf7\xda\xc5\xce" - "\x3e\x77\x75\x86\xaf\x84\xc8\x05" - "\x44\x01\x0f\x02\xf3\x58\xb0\x06" - "\x5a\xd7\x12\x30\x8d\xdf\x1f\x1f" - "\x0a\xe6\xd2\xea\xf6\x3a\x7a\x99" - "\x63\xe8\xd2\xc1\x4a\x45\x8b\x40" - "\x4d\x0a\xa9\x76\x92\xb3\xda\x87" - "\x36\x33\xf0\x78\xc3\x2f\x5f\x02" - "\x1a\x6a\x2c\x32\xcd\x76\xbf\xbd" - "\x5a\x26\x20\x28\x8c\x8c\xbc\x52" - "\x3d\x0a\xc9\xcb\xab\xa4\x21\xb0" - "\x54\x40\x81\x44\xc7\xd6\x1c\x11" - "\x44\xc6\x02\x92\x14\x5a\xbf\x1a" - "\x09\x8a\x18\xad\xcd\x64\x3d\x53" - "\x4a\xb6\xa5\x1b\x57\x0e\xef\xe0" - "\x8c\x44\x5f\x7d\xbd\x6c\xfd\x60" - "\xae\x02\x24\xb6\x99\xdd\x8c\xaf" - "\x59\x39\x75\x3c\xd1\x54\x7b\x86" - "\xcc\x99\xd9\x28\x0c\xb0\x94\x62" - "\xf9\x51\xd1\x19\x96\x2d\x66\xf5" - "\x55\xcf\x9e\x59\xe2\x6b\x2c\x08" - "\xc0\x54\x48\x24\x45\xc3\x8c\x73" - "\xea\x27\x6e\x66\x7d\x1d\x0e\x6e" - "\x13\xe8\x56\x65\x3a\xb0\x81\x5c" - "\xf0\xe8\xd8\x00\x6b\xcd\x8f\xad" - "\xdd\x53\xf3\xa4\x6c\x43\xd6\x31" - "\xaf\xd2\x76\x1e\x91\x12\xdb\x3c" - "\x8c\xc2\x81\xf0\x49\xdb\xe2\x6b" - "\x76\x62\x0a\x04\xe4\xaa\x8a\x7c" - "\x08\x0b\x5d\xd0\xee\x1d\xfb\xc4" - "\x02\x75\x42\xd6\xba\xa7\x22\xa8" - "\x47\x29\xb7\x85\x6d\x93\x3a\xdb" - "\x00\x53\x0b\xa2\xeb\xf8\xfe\x01" - "\x6f\x8a\x31\xd6\x17\x05\x6f\x67" - "\x88\x95\x32\xfe\x4f\xa6\x4b\xf8" - "\x03\xe4\xcd\x9a\x18\xe8\x4e\x2d" - "\xf7\x97\x9a\x0c\x7d\x9f\x7e\x44" - "\x69\x51\xe0\x32\x6b\x62\x86\x8f" - "\xa6\x8e\x0b\x21\x96\xe5\xaf\x77" - "\xc0\x83\xdf\xa5\x0e\xd0\xa1\x04" - "\xaf\xc1\x10\xcb\x5a\x40\xe4\xe3" - "\x38\x7e\x07\xe8\x4d\xfa\xed\xc5" - "\xf0\x37\xdf\xbb\x8a\xcf\x3d\xdc" - "\x61\xd2\xc6\x2b\xff\x07\xc9\x2f" - "\x0c\x2d\x5c\x07\xa8\x35\x6a\xfc" - "\xae\x09\x03\x45\x74\x51\x4d\xc4" - "\xb8\x23\x87\x4a\x99\x27\x20\x87" - "\x62\x44\x0a\x4a\xce\x78\x47\x22", - .ksize =3D 1088, - .plaintext =3D "\x8e\xb0\x4c\xde\x9c\x4a\x04\x5a" - "\xf6\xa9\x7f\x45\x25\xa5\x7b\x3a" - "\xbc\x4d\x73\x39\x81\xb5\xbd\x3d" - "\x21\x6f\xd7\x37\x50\x3c\x7b\x28" - "\xd1\x03\x3a\x17\xed\x7b\x7c\x2a" - "\x16\xbc\xdf\x19\x89\x52\x71\x31" - "\xb6\xc0\xfd\xb5\xd3\xba\x96\x99" - "\xb6\x34\x0b\xd0\x99\x93\xfc\x1a" - "\x01\x3c\x85\xc6\x9b\x78\x5c\x8b" - "\xfe\xae\xd2\xbf\xb2\x6f\xf9\xed" - "\xc8\x25\x17\xfe\x10\x3b\x7d\xda" - "\xf4\x8d\x35\x4b\x7c\x7b\x82\xe7" - "\xc2\xb3\xee\x60\x4a\x03\x86\xc9" - "\x4e\xb5\xc4\xbe\xd2\xbd\x66\xf1" - "\x13\xf1\x09\xab\x5d\xca\x63\x1f" - "\xfc\xfb\x57\x2a\xfc\xca\x66\xd8" - "\x77\x84\x38\x23\x1d\xac\xd3\xb3" - "\x7a\xad\x4c\x70\xfa\x9c\xc9\x61" - "\xa6\x1b\xba\x33\x4b\x4e\x33\xec" - "\xa0\xa1\x64\x39\x40\x05\x1c\xc2" - "\x3f\x49\x9d\xae\xf2\xc5\xf2\xc5" - "\xfe\xe8\xf4\xc2\xf9\x96\x2d\x28" - "\x92\x30\x44\xbc\xd2\x7f\xe1\x6e" - "\x62\x02\x8f\x3d\x1c\x80\xda\x0e" - "\x6a\x90\x7e\x75\xff\xec\x3e\xc4" - "\xcd\x16\x34\x3b\x05\x6d\x4d\x20" - "\x1c\x7b\xf5\x57\x4f\xfa\x3d\xac" - "\xd0\x13\x55\xe8\xb3\xe1\x1b\x78" - "\x30\xe6\x9f\x84\xd4\x69\xd1\x08" - "\x12\x77\xa7\x4a\xbd\xc0\xf2\xd2" - "\x78\xdd\xa3\x81\x12\xcb\x6c\x14" - "\x90\x61\xe2\x84\xc6\x2b\x16\xcc" - "\x40\x99\x50\x88\x01\x09\x64\x4f" - "\x0a\x80\xbe\x61\xae\x46\xc9\x0a" - "\x5d\xe0\xfb\x72\x7a\x1a\xdd\x61" - "\x63\x20\x05\xa0\x4a\xf0\x60\x69" - "\x7f\x92\xbc\xbf\x4e\x39\x4d\xdd" - "\x74\xd1\xb7\xc0\x5a\x34\xb7\xae" - "\x76\x65\x2e\xbc\x36\xb9\x04\x95" - "\x42\xe9\x6f\xca\x78\xb3\x72\x07" - "\xa3\xba\x02\x94\x67\x4c\xb1\xd7" - "\xe9\x30\x0d\xf0\x3b\xb8\x10\x6d" - "\xea\x2b\x21\xbf\x74\x59\x82\x97" - "\x85\xaa\xf1\xd7\x54\x39\xeb\x05" - "\xbd\xf3\x40\xa0\x97\xe6\x74\xfe" - "\xb4\x82\x5b\xb1\x36\xcb\xe8\x0d" - "\xce\x14\xd9\xdf\xf1\x94\x22\xcd" - "\xd6\x00\xba\x04\x4c\x05\x0c\xc0" - "\xd1\x5a\xeb\x52\xd5\xa8\x8e\xc8" - "\x97\xa1\xaa\xc1\xea\xc1\xbe\x7c" - "\x36\xb3\x36\xa0\xc6\x76\x66\xc5" - "\xe2\xaf\xd6\x5c\xe2\xdb\x2c\xb3" - "\x6c\xb9\x99\x7f\xff\x9f\x03\x24" - "\xe1\x51\x44\x66\xd8\x0c\x5d\x7f" - "\x5c\x85\x22\x2a\xcf\x6d\x79\x28" - "\xab\x98\x01\x72\xfe\x80\x87\x5f" - "\x46\xba\xef\x81\x24\xee\xbf\xb0" - "\x24\x74\xa3\x65\x97\x12\xc4\xaf" - "\x8b\xa0\x39\xda\x8a\x7e\x74\x6e" - "\x1b\x42\xb4\x44\x37\xfc\x59\xfd" - "\x86\xed\xfb\x8c\x66\x33\xda\x63" - "\x75\xeb\xe1\xa4\x85\x4f\x50\x8f" - "\x83\x66\x0d\xd3\x37\xfa\xe6\x9c" - "\x4f\x30\x87\x35\x18\xe3\x0b\xb7" - "\x6e\x64\x54\xcd\x70\xb3\xde\x54" - "\xb7\x1d\xe6\x4c\x4d\x55\x12\x12" - "\xaf\x5f\x7f\x5e\xee\x9d\xe8\x8e" - "\x32\x9d\x4e\x75\xeb\xc6\xdd\xaa" - "\x48\x82\xa4\x3f\x3c\xd7\xd3\xa8" - "\x63\x9e\x64\xfe\xe3\x97\x00\x62" - "\xe5\x40\x5d\xc3\xad\x72\xe1\x28" - "\x18\x50\xb7\x75\xef\xcd\x23\xbf" - "\x3f\xc0\x51\x36\xf8\x41\xc3\x08" - "\xcb\xf1\x8d\x38\x34\xbd\x48\x45" - "\x75\xed\xbc\x65\x7b\xb5\x0c\x9b" - "\xd7\x67\x7d\x27\xb4\xc4\x80\xd7" - "\xa9\xb9\xc7\x4a\x97\xaa\xda\xc8" - "\x3c\x74\xcf\x36\x8f\xe4\x41\xe3" - "\xd4\xd3\x26\xa7\xf3\x23\x9d\x8f" - "\x6c\x20\x05\x32\x3e\xe0\xc3\xc8" - "\x56\x3f\xa7\x09\xb7\xfb\xc7\xf7" - "\xbe\x2a\xdd\x0f\x06\x7b\x0d\xdd" - "\xb0\xb4\x86\x17\xfd\xb9\x04\xe5" - "\xc0\x64\x5d\xad\x2a\x36\x38\xdb" - "\x24\xaf\x5b\xff\xca\xf9\x41\xe8" - "\xf9\x2f\x1e\x5e\xf9\xf5\xd5\xf2" - "\xb2\x88\xca\xc9\xa1\x31\xe2\xe8" - "\x10\x95\x65\xbf\xf1\x11\x61\x7a" - "\x30\x1a\x54\x90\xea\xd2\x30\xf6" - "\xa5\xad\x60\xf9\x4d\x84\x21\x1b" - "\xe4\x42\x22\xc8\x12\x4b\xb0\x58" - "\x3e\x9c\x2d\x32\x95\x0a\x8e\xb0" - "\x0a\x7e\x77\x2f\xe8\x97\x31\x6a" - "\xf5\x59\xb4\x26\xe6\x37\x12\xc9" - "\xcb\xa0\x58\x33\x6f\xd5\x55\x55" - "\x3c\xa1\x33\xb1\x0b\x7e\x2e\xb4" - "\x43\x2a\x84\x39\xf0\x9c\xf4\x69" - "\x4f\x1e\x79\xa6\x15\x1b\x87\xbb" - "\xdb\x9b\xe0\xf1\x0b\xba\xe3\x6e" - "\xcc\x2f\x49\x19\x22\x29\xfc\x71" - "\xbb\x77\x38\x18\x61\xaf\x85\x76" - "\xeb\xd1\x09\xcc\x86\x04\x20\x9a" - "\x66\x53\x2f\x44\x8b\xc6\xa3\xd2" - "\x5f\xc7\x79\x82\x66\xa8\x6e\x75" - "\x7d\x94\xd1\x86\x75\x0f\xa5\x4f" - "\x3c\x7a\x33\xce\xd1\x6e\x9d\x7b" - "\x1f\x91\x37\xb8\x37\x80\xfb\xe0" - "\x52\x26\xd0\x9a\xd4\x48\x02\x41" - "\x05\xe3\x5a\x94\xf1\x65\x61\x19" - "\xb8\x88\x4e\x2b\xea\xba\x8b\x58" - "\x8b\x42\x01\x00\xa8\xfe\x00\x5c" - "\xfe\x1c\xee\x31\x15\x69\xfa\xb3" - "\x9b\x5f\x22\x8e\x0d\x2c\xe3\xa5" - "\x21\xb9\x99\x8a\x8e\x94\x5a\xef" - "\x13\x3e\x99\x96\x79\x6e\xd5\x42" - "\x36\x03\xa9\xe2\xca\x65\x4e\x8a" - "\x8a\x30\xd2\x7d\x74\xe7\xf0\xaa" - "\x23\x26\xdd\xcb\x82\x39\xfc\x9d" - "\x51\x76\x21\x80\xa2\xbe\x93\x03" - "\x47\xb0\xc1\xb6\xdc\x63\xfd\x9f" - "\xca\x9d\xa5\xca\x27\x85\xe2\xd8" - "\x15\x5b\x7e\x14\x7a\xc4\x89\xcc" - "\x74\x14\x4b\x46\xd2\xce\xac\x39" - "\x6b\x6a\x5a\xa4\x0e\xe3\x7b\x15" - "\x94\x4b\x0f\x74\xcb\x0c\x7f\xa9" - "\xbe\x09\x39\xa3\xdd\x56\x5c\xc7" - "\x99\x56\x65\x39\xf4\x0b\x7d\x87" - "\xec\xaa\xe3\x4d\x22\x65\x39\x4e", - .psize =3D 1024, - .digest =3D "\x64\x3a\xbc\xc3\x3f\x74\x40\x51" - "\x6e\x56\x01\x1a\x51\xec\x36\xde", - }, { - .key =3D "\x1b\x82\x2e\x1b\x17\x23\xb9\x6d" - "\xdc\x9c\xda\x99\x07\xe3\x5f\xd8" - "\xd2\xf8\x43\x80\x8d\x86\x7d\x80" - "\x1a\xd0\xcc\x13\xb9\x11\x05\x3f" - "\x7e\xcf\x7e\x80\x0e\xd8\x25\x48" - "\x8b\xaa\x63\x83\x92\xd0\x72\xf5" - "\x4f\x67\x7e\x50\x18\x25\xa4\xd1" - "\xe0\x7e\x1e\xba\xd8\xa7\x6e\xdb" - "\x1a\xcc\x0d\xfe\x9f\x6d\x22\x35" - "\xe1\xe6\xe0\xa8\x7b\x9c\xb1\x66" - "\xa3\xf8\xff\x4d\x90\x84\x28\xbc" - "\xdc\x19\xc7\x91\x49\xfc\xf6\x33" - "\xc9\x6e\x65\x7f\x28\x6f\x68\x2e" - "\xdf\x1a\x75\xe9\xc2\x0c\x96\xb9" - "\x31\x22\xc4\x07\xc6\x0a\x2f\xfd" - "\x36\x06\x5f\x5c\xc5\xb1\x3a\xf4" - "\x5e\x48\xa4\x45\x2b\x88\xa7\xee" - "\xa9\x8b\x52\xcc\x99\xd9\x2f\xb8" - "\xa4\x58\x0a\x13\xeb\x71\x5a\xfa" - "\xe5\x5e\xbe\xf2\x64\xad\x75\xbc" - "\x0b\x5b\x34\x13\x3b\x23\x13\x9a" - "\x69\x30\x1e\x9a\xb8\x03\xb8\x8b" - "\x3e\x46\x18\x6d\x38\xd9\xb3\xd8" - "\xbf\xf1\xd0\x28\xe6\x51\x57\x80" - "\x5e\x99\xfb\xd0\xce\x1e\x83\xf7" - "\xe9\x07\x5a\x63\xa9\xef\xce\xa5" - "\xfb\x3f\x37\x17\xfc\x0b\x37\x0e" - "\xbb\x4b\x21\x62\xb7\x83\x0e\xa9" - "\x9e\xb0\xc4\xad\x47\xbe\x35\xe7" - "\x51\xb2\xf2\xac\x2b\x65\x7b\x48" - "\xe3\x3f\x5f\xb6\x09\x04\x0c\x58" - "\xce\x99\xa9\x15\x2f\x4e\xc1\xf2" - "\x24\x48\xc0\xd8\x6c\xd3\x76\x17" - "\x83\x5d\xe6\xe3\xfd\x01\x8e\xf7" - "\x42\xa5\x04\x29\x30\xdf\xf9\x00" - "\x4a\xdc\x71\x22\x1a\x33\x15\xb6" - "\xd7\x72\xfb\x9a\xb8\xeb\x2b\x38" - "\xea\xa8\x61\xa8\x90\x11\x9d\x73" - "\x2e\x6c\xce\x81\x54\x5a\x9f\xcd" - "\xcf\xd5\xbd\x26\x5d\x66\xdb\xfb" - "\xdc\x1e\x7c\x10\xfe\x58\x82\x10" - "\x16\x24\x01\xce\x67\x55\x51\xd1" - "\xdd\x6b\x44\xa3\x20\x8e\xa9\xa6" - "\x06\xa8\x29\x77\x6e\x00\x38\x5b" - "\xde\x4d\x58\xd8\x1f\x34\xdf\xf9" - "\x2c\xac\x3e\xad\xfb\x92\x0d\x72" - "\x39\xa4\xac\x44\x10\xc0\x43\xc4" - "\xa4\x77\x3b\xfc\xc4\x0d\x37\xd3" - "\x05\x84\xda\x53\x71\xf8\x80\xd3" - "\x34\x44\xdb\x09\xb4\x2b\x8e\xe3" - "\x00\x75\x50\x9e\x43\x22\x00\x0b" - "\x7c\x70\xab\xd4\x41\xf1\x93\xcd" - "\x25\x2d\x84\x74\xb5\xf2\x92\xcd" - "\x0a\x28\xea\x9a\x49\x02\x96\xcb" - "\x85\x9e\x2f\x33\x03\x86\x1d\xdc" - "\x1d\x31\xd5\xfc\x9d\xaa\xc5\xe9" - "\x9a\xc4\x57\xf5\x35\xed\xf4\x4b" - "\x3d\x34\xc2\x29\x13\x86\x36\x42" - "\x5d\xbf\x90\x86\x13\x77\xe5\xc3" - "\x62\xb4\xfe\x0b\x70\x39\x35\x65" - "\x02\xea\xf6\xce\x57\x0c\xbb\x74" - "\x29\xe3\xfd\x60\x90\xfd\x10\x38" - "\xd5\x4e\x86\xbd\x37\x70\xf0\x97" - "\xa6\xab\x3b\x83\x64\x52\xca\x66" - "\x2f\xf9\xa4\xca\x3a\x55\x6b\xb0" - "\xe8\x3a\x34\xdb\x9e\x48\x50\x2f" - "\x3b\xef\xfd\x08\x2d\x5f\xc1\x37" - "\x5d\xbe\x73\xe4\xd8\xe9\xac\xca" - "\x8a\xaa\x48\x7c\x5c\xf4\xa6\x96" - "\x5f\xfa\x70\xa6\xb7\x8b\x50\xcb" - "\xa6\xf5\xa9\xbd\x7b\x75\x4c\x22" - "\x0b\x19\x40\x2e\xc9\x39\x39\x32" - "\x83\x03\xa8\xa4\x98\xe6\x8e\x16" - "\xb9\xde\x08\xc5\xfc\xbf\xad\x39" - "\xa8\xc7\x93\x6c\x6f\x23\xaf\xc1" - "\xab\xe1\xdf\xbb\x39\xae\x93\x29" - "\x0e\x7d\x80\x8d\x3e\x65\xf3\xfd" - "\x96\x06\x65\x90\xa1\x28\x64\x4b" - "\x69\xf9\xa8\x84\x27\x50\xfc\x87" - "\xf7\xbf\x55\x8e\x56\x13\x58\x7b" - "\x85\xb4\x6a\x72\x0f\x40\xf1\x4f" - "\x83\x81\x1f\x76\xde\x15\x64\x7a" - "\x7a\x80\xe4\xc7\x5e\x63\x01\x91" - "\xd7\x6b\xea\x0b\x9b\xa2\x99\x3b" - "\x6c\x88\xd8\xfd\x59\x3c\x8d\x22" - "\x86\x56\xbe\xab\xa1\x37\x08\x01" - "\x50\x85\x69\x29\xee\x9f\xdf\x21" - "\x3e\x20\x20\xf5\xb0\xbb\x6b\xd0" - "\x9c\x41\x38\xec\x54\x6f\x2d\xbd" - "\x0f\xe1\xbd\xf1\x2b\x6e\x60\x56" - "\x29\xe5\x7a\x70\x1c\xe2\xfc\x97" - "\x82\x68\x67\xd9\x3d\x1f\xfb\xd8" - "\x07\x9f\xbf\x96\x74\xba\x6a\x0e" - "\x10\x48\x20\xd8\x13\x1e\xb5\x44" - "\xf2\xcc\xb1\x8b\xfb\xbb\xec\xd7" - "\x37\x70\x1f\x7c\x55\xd2\x4b\xb9" - "\xfd\x70\x5e\xa3\x91\x73\x63\x52" - "\x13\x47\x5a\x06\xfb\x01\x67\xa5" - "\xc0\xd0\x49\x19\x56\x66\x9a\x77" - "\x64\xaf\x8c\x25\x91\x52\x87\x0e" - "\x18\xf3\x5f\x97\xfd\x71\x13\xf8" - "\x05\xa5\x39\xcc\x65\xd3\xcc\x63" - "\x5b\xdb\x5f\x7e\x5f\x6e\xad\xc4" - "\xf4\xa0\xc5\xc2\x2b\x4d\x97\x38" - "\x4f\xbc\xfa\x33\x17\xb4\x47\xb9" - "\x43\x24\x15\x8d\xd2\xed\x80\x68" - "\x84\xdb\x04\x80\xca\x5e\x6a\x35" - "\x2c\x2c\xe7\xc5\x03\x5f\x54\xb0" - "\x5e\x4f\x1d\x40\x54\x3d\x78\x9a" - "\xac\xda\x80\x27\x4d\x15\x4c\x1a" - "\x6e\x80\xc9\xc4\x3b\x84\x0e\xd9" - "\x2e\x93\x01\x8c\xc3\xc8\x91\x4b" - "\xb3\xaa\x07\x04\x68\x5b\x93\xa5" - "\xe7\xc4\x9d\xe7\x07\xee\xf5\x3b" - "\x40\x89\xcc\x60\x34\x9d\xb4\x06" - "\x1b\xef\x92\xe6\xc1\x2a\x7d\x0f" - "\x81\xaa\x56\xe3\xd7\xed\xa7\xd4" - "\xa7\x3a\x49\xc4\xad\x81\x5c\x83" - "\x55\x8e\x91\x54\xb7\x7d\x65\xa5" - "\x06\x16\xd5\x9a\x16\xc1\xb0\xa2" - "\x06\xd8\x98\x47\x73\x7e\x73\xa0" - "\xb8\x23\xb1\x52\xbf\x68\x74\x5d" - "\x0b\xcb\xfa\x8c\x46\xe3\x24\xe6" - "\xab\xd4\x69\x8d\x8c\xf2\x8a\x59" - "\xbe\x48\x46\x50\x8c\x9a\xe8\xe3" - "\x31\x55\x0a\x06\xed\x4f\xf8\xb7" - "\x4f\xe3\x85\x17\x30\xbd\xd5\x20" - "\xe7\x5b\xb2\x32\xcf\x6b\x16\x44" - "\xd2\xf5\x7e\xd7\xd1\x2f\xee\x64" - "\x3e\x9d\x10\xef\x27\x35\x43\x64" - "\x67\xfb\x7a\x7b\xe0\x62\x31\x9a" - "\x4d\xdf\xa5\xab\xc0\x20\xbb\x01" - "\xe9\x7b\x54\xf1\xde\xb2\x79\x50" - "\x6c\x4b\x91\xdb\x7f\xbb\x50\xc1" - "\x55\x44\x38\x9a\xe0\x9f\xe8\x29" - "\x6f\x15\xf8\x4e\xa6\xec\xa0\x60", - .ksize =3D 1088, - .plaintext =3D "\x15\x68\x9e\x2f\xad\x15\x52\xdf" - "\xf0\x42\x62\x24\x2a\x2d\xea\xbf" - "\xc7\xf3\xb4\x1a\xf5\xed\xb2\x08" - "\x15\x60\x1c\x00\x77\xbf\x0b\x0e" - "\xb7\x2c\xcf\x32\x3a\xc7\x01\x77" - "\xef\xa6\x75\xd0\x29\xc7\x68\x20" - "\xb2\x92\x25\xbf\x12\x34\xe9\xa4" - "\xfd\x32\x7b\x3f\x7c\xbd\xa5\x02" - "\x38\x41\xde\xc9\xc1\x09\xd9\xfc" - "\x6e\x78\x22\x83\x18\xf7\x50\x8d" - "\x8f\x9c\x2d\x02\xa5\x30\xac\xff" - "\xea\x63\x2e\x80\x37\x83\xb0\x58" - "\xda\x2f\xef\x21\x55\xba\x7b\xb1" - "\xb6\xed\xf5\xd2\x4d\xaa\x8c\xa9" - "\xdd\xdb\x0f\xb4\xce\xc1\x9a\xb1" - "\xc1\xdc\xbd\xab\x86\xc2\xdf\x0b" - "\xe1\x2c\xf9\xbe\xf6\xd8\xda\x62" - "\x72\xdd\x98\x09\x52\xc0\xc4\xb6" - "\x7b\x17\x5c\xf5\xd8\x4b\x88\xd6" - "\x6b\xbf\x84\x4a\x3f\xf5\x4d\xd2" - "\x94\xe2\x9c\xff\xc7\x3c\xd9\xc8" - "\x37\x38\xbc\x8c\xf3\xe7\xb7\xd0" - "\x1d\x78\xc4\x39\x07\xc8\x5e\x79" - "\xb6\x5a\x90\x5b\x6e\x97\xc9\xd4" - "\x82\x9c\xf3\x83\x7a\xe7\x97\xfc" - "\x1d\xbb\xef\xdb\xce\xe0\x82\xad" - "\xca\x07\x6c\x54\x62\x6f\x81\xe6" - "\x7a\x5a\x96\x6e\x80\x3a\xa2\x37" - "\x6f\xc6\xa4\x29\xc3\x9e\x19\x94" - "\x9f\xb0\x3e\x38\xfb\x3c\x2b\x7d" - "\xaa\xb8\x74\xda\x54\x23\x51\x12" - "\x4b\x96\x36\x8f\x91\x4f\x19\x37" - "\x83\xc9\xdd\xc7\x1a\x32\x2d\xab" - "\xc7\x89\xe2\x07\x47\x6c\xe8\xa6" - "\x70\x6b\x8e\x0c\xda\x5c\x6a\x59" - "\x27\x33\x0e\xe1\xe1\x20\xe8\xc8" - "\xae\xdc\xd0\xe3\x6d\xa8\xa6\x06" - "\x41\xb4\xd4\xd4\xcf\x91\x3e\x06" - "\xb0\x9a\xf7\xf1\xaa\xa6\x23\x92" - "\x10\x86\xf0\x94\xd1\x7c\x2e\x07" - "\x30\xfb\xc5\xd8\xf3\x12\xa9\xe8" - "\x22\x1c\x97\x1a\xad\x96\xb0\xa1" - "\x72\x6a\x6b\xb4\xfd\xf7\xe8\xfa" - "\xe2\x74\xd8\x65\x8d\x35\x17\x4b" - "\x00\x23\x5c\x8c\x70\xad\x71\xa2" - "\xca\xc5\x6c\x59\xbf\xb4\xc0\x6d" - "\x86\x98\x3e\x19\x5a\x90\x92\xb1" - "\x66\x57\x6a\x91\x68\x7c\xbc\xf3" - "\xf1\xdb\x94\xf8\x48\xf1\x36\xd8" - "\x78\xac\x1c\xa9\xcc\xd6\x27\xba" - "\x91\x54\x22\xf5\xe6\x05\x3f\xcc" - "\xc2\x8f\x2c\x3b\x2b\xc3\x2b\x2b" - "\x3b\xb8\xb6\x29\xb7\x2f\x94\xb6" - "\x7b\xfc\x94\x3e\xd0\x7a\x41\x59" - "\x7b\x1f\x9a\x09\xa6\xed\x4a\x82" - "\x9d\x34\x1c\xbd\x4e\x1c\x3a\x66" - "\x80\x74\x0e\x9a\x4f\x55\x54\x47" - "\x16\xba\x2a\x0a\x03\x35\x99\xa3" - "\x5c\x63\x8d\xa2\x72\x8b\x17\x15" - "\x68\x39\x73\xeb\xec\xf2\xe8\xf5" - "\x95\x32\x27\xd6\xc4\xfe\xb0\x51" - "\xd5\x0c\x50\xc5\xcd\x6d\x16\xb3" - "\xa3\x1e\x95\x69\xad\x78\x95\x06" - "\xb9\x46\xf2\x6d\x24\x5a\x99\x76" - "\x73\x6a\x91\xa6\xac\x12\xe1\x28" - "\x79\xbc\x08\x4e\x97\x00\x98\x63" - "\x07\x1c\x4e\xd1\x68\xf3\xb3\x81" - "\xa8\xa6\x5f\xf1\x01\xc9\xc1\xaf" - "\x3a\x96\xf9\x9d\xb5\x5a\x5f\x8f" - "\x7e\xc1\x7e\x77\x0a\x40\xc8\x8e" - "\xfc\x0e\xed\xe1\x0d\xb0\xe5\x5e" - "\x5e\x6f\xf5\x7f\xab\x33\x7d\xcd" - "\xf0\x09\x4b\xb2\x11\x37\xdc\x65" - "\x97\x32\x62\x71\x3a\x29\x54\xb9" - "\xc7\xa4\xbf\x75\x0f\xf9\x40\xa9" - "\x8d\xd7\x8b\xa7\xe0\x9a\xbe\x15" - "\xc6\xda\xd8\x00\x14\x69\x1a\xaf" - "\x5f\x79\xc3\xf5\xbb\x6c\x2a\x9d" - "\xdd\x3c\x5f\x97\x21\xe1\x3a\x03" - "\x84\x6a\xe9\x76\x11\x1f\xd3\xd5" - "\xf0\x54\x20\x4d\xc2\x91\xc3\xa4" - "\x36\x25\xbe\x1b\x2a\x06\xb7\xf3" - "\xd1\xd0\x55\x29\x81\x4c\x83\xa3" - "\xa6\x84\x1e\x5c\xd1\xd0\x6c\x90" - "\xa4\x11\xf0\xd7\x63\x6a\x48\x05" - "\xbc\x48\x18\x53\xcd\xb0\x8d\xdb" - "\xdc\xfe\x55\x11\x5c\x51\xb3\xab" - "\xab\x63\x3e\x31\x5a\x8b\x93\x63" - "\x34\xa9\xba\x2b\x69\x1a\xc0\xe3" - "\xcb\x41\xbc\xd7\xf5\x7f\x82\x3e" - "\x01\xa3\x3c\x72\xf4\xfe\xdf\xbe" - "\xb1\x67\x17\x2b\x37\x60\x0d\xca" - "\x6f\xc3\x94\x2c\xd2\x92\x6d\x9d" - "\x75\x18\x77\xaa\x29\x38\x96\xed" - "\x0e\x20\x70\x92\xd5\xd0\xb4\x00" - "\xc0\x31\xf2\xc9\x43\x0e\x75\x1d" - "\x4b\x64\xf2\x1f\xf2\x29\x6c\x7b" - "\x7f\xec\x59\x7d\x8c\x0d\xd4\xd3" - "\xac\x53\x4c\xa3\xde\x42\x92\x95" - "\x6d\xa3\x4f\xd0\xe6\x3d\xe7\xec" - "\x7a\x4d\x68\xf1\xfe\x67\x66\x09" - "\x83\x22\xb1\x98\x43\x8c\xab\xb8" - "\x45\xe6\x6d\xdf\x5e\x50\x71\xce" - "\xf5\x4e\x40\x93\x2b\xfa\x86\x0e" - "\xe8\x30\xbd\x82\xcc\x1c\x9c\x5f" - "\xad\xfd\x08\x31\xbe\x52\xe7\xe6" - "\xf2\x06\x01\x62\x25\x15\x99\x74" - "\x33\x51\x52\x57\x3f\x57\x87\x61" - "\xb9\x7f\x29\x3d\xcd\x92\x5e\xa6" - "\x5c\x3b\xf1\xed\x5f\xeb\x82\xed" - "\x56\x7b\x61\xe7\xfd\x02\x47\x0e" - "\x2a\x15\xa4\xce\x43\x86\x9b\xe1" - "\x2b\x4c\x2a\xd9\x42\x97\xf7\x9a" - "\xe5\x47\x46\x48\xd3\x55\x6f\x4d" - "\xd9\xeb\x4b\xdd\x7b\x21\x2f\xb3" - "\xa8\x36\x28\xdf\xca\xf1\xf6\xd9" - "\x10\xf6\x1c\xfd\x2e\x0c\x27\xe0" - "\x01\xb3\xff\x6d\x47\x08\x4d\xd4" - "\x00\x25\xee\x55\x4a\xe9\xe8\x5b" - "\xd8\xf7\x56\x12\xd4\x50\xb2\xe5" - "\x51\x6f\x34\x63\x69\xd2\x4e\x96" - "\x4e\xbc\x79\xbf\x18\xae\xc6\x13" - "\x80\x92\x77\xb0\xb4\x0f\x29\x94" - "\x6f\x4c\xbb\x53\x11\x36\xc3\x9f" - "\x42\x8e\x96\x8a\x91\xc8\xe9\xfc" - "\xfe\xbf\x7c\x2d\x6f\xf9\xb8\x44" - "\x89\x1b\x09\x53\x0a\x2a\x92\xc3" - "\x54\x7a\x3a\xf9\xe2\xe4\x75\x87" - "\xa0\x5e\x4b\x03\x7a\x0d\x8a\xf4" - "\x55\x59\x94\x2b\x63\x96\x0e\xf5", - .psize =3D 1040, - .digest =3D "\xb5\xb9\x08\xb3\x24\x3e\x03\xf0" - "\xd6\x0b\x57\xbc\x0a\x6d\x89\x59", - }, { - .key =3D "\xf6\x34\x42\x71\x35\x52\x8b\x58" - "\x02\x3a\x8e\x4a\x8d\x41\x13\xe9" - "\x7f\xba\xb9\x55\x9d\x73\x4d\xf8" - "\x3f\x5d\x73\x15\xff\xd3\x9e\x7f" - "\x20\x2a\x6a\xa8\xd1\xf0\x8f\x12" - "\x6b\x02\xd8\x6c\xde\xba\x80\x22" - "\x19\x37\xc8\xd0\x4e\x89\x17\x7c" - "\x7c\xdd\x88\xfd\x41\xc0\x04\xb7" - "\x1d\xac\x19\xe3\x20\xc7\x16\xcf" - "\x58\xee\x1d\x7a\x61\x69\xa9\x12" - "\x4b\xef\x4f\xb6\x38\xdd\x78\xf8" - "\x28\xee\x70\x08\xc7\x7c\xcc\xc8" - "\x1e\x41\xf5\x80\x86\x70\xd0\xf0" - "\xa3\x87\x6b\x0a\x00\xd2\x41\x28" - "\x74\x26\xf1\x24\xf3\xd0\x28\x77" - "\xd7\xcd\xf6\x2d\x61\xf4\xa2\x13" - "\x77\xb4\x6f\xa0\xf4\xfb\xd6\xb5" - "\x38\x9d\x5a\x0c\x51\xaf\xad\x63" - "\x27\x67\x8c\x01\xea\x42\x1a\x66" - "\xda\x16\x7c\x3c\x30\x0c\x66\x53" - "\x1c\x88\xa4\x5c\xb2\xe3\x78\x0a" - "\x13\x05\x6d\xe2\xaf\xb3\xe4\x75" - "\x00\x99\x58\xee\x76\x09\x64\xaa" - "\xbb\x2e\xb1\x81\xec\xd8\x0e\xd3" - "\x0c\x33\x5d\xb7\x98\xef\x36\xb6" - "\xd2\x65\x69\x41\x70\x12\xdc\x25" - "\x41\x03\x99\x81\x41\x19\x62\x13" - "\xd1\x0a\x29\xc5\x8c\xe0\x4c\xf3" - "\xd6\xef\x4c\xf4\x1d\x83\x2e\x6d" - "\x8e\x14\x87\xed\x80\xe0\xaa\xd3" - "\x08\x04\x73\x1a\x84\x40\xf5\x64" - "\xbd\x61\x32\x65\x40\x42\xfb\xb0" - "\x40\xf6\x40\x8d\xc7\x7f\x14\xd0" - "\x83\x99\xaa\x36\x7e\x60\xc6\xbf" - "\x13\x8a\xf9\x21\xe4\x7e\x68\x87" - "\xf3\x33\x86\xb4\xe0\x23\x7e\x0a" - "\x21\xb1\xf5\xad\x67\x3c\x9c\x9d" - "\x09\xab\xaf\x5f\xba\xe0\xd0\x82" - "\x48\x22\x70\xb5\x6d\x53\xd6\x0e" - "\xde\x64\x92\x41\xb0\xd3\xfb\xda" - "\x21\xfe\xab\xea\x20\xc4\x03\x58" - "\x18\x2e\x7d\x2f\x03\xa9\x47\x66" - "\xdf\x7b\xa4\x6b\x34\x6b\x55\x9c" - "\x4f\xd7\x9c\x47\xfb\xa9\x42\xec" - "\x5a\x12\xfd\xfe\x76\xa0\x92\x9d" - "\xfe\x1e\x16\xdd\x24\x2a\xe4\x27" - "\xd5\xa9\xf2\x05\x4f\x83\xa2\xaf" - "\xfe\xee\x83\x7a\xad\xde\xdf\x9a" - "\x80\xd5\x81\x14\x93\x16\x7e\x46" - "\x47\xc2\x14\xef\x49\x6e\xb9\xdb" - "\x40\xe8\x06\x6f\x9c\x2a\xfd\x62" - "\x06\x46\xfd\x15\x1d\x36\x61\x6f" - "\x77\x77\x5e\x64\xce\x78\x1b\x85" - "\xbf\x50\x9a\xfd\x67\xa6\x1a\x65" - "\xad\x5b\x33\x30\xf1\x71\xaa\xd9" - "\x23\x0d\x92\x24\x5f\xae\x57\xb0" - "\x24\x37\x0a\x94\x12\xfb\xb5\xb1" - "\xd3\xb8\x1d\x12\x29\xb0\x80\x24" - "\x2d\x47\x9f\x96\x1f\x95\xf1\xb1" - "\xda\x35\xf6\x29\xe0\xe1\x23\x96" - "\xc7\xe8\x22\x9b\x7c\xac\xf9\x41" - "\x39\x01\xe5\x73\x15\x5e\x99\xec" - "\xb4\xc1\xf4\xe7\xa7\x97\x6a\xd5" - "\x90\x9a\xa0\x1d\xf3\x5a\x8b\x5f" - "\xdf\x01\x52\xa4\x93\x31\x97\xb0" - "\x93\x24\xb5\xbc\xb2\x14\x24\x98" - "\x4a\x8f\x19\x85\xc3\x2d\x0f\x74" - "\x9d\x16\x13\x80\x5e\x59\x62\x62" - "\x25\xe0\xd1\x2f\x64\xef\xba\xac" - "\xcd\x09\x07\x15\x8a\xcf\x73\xb5" - "\x8b\xc9\xd8\x24\xb0\x53\xd5\x6f" - "\xe1\x2b\x77\xb1\xc5\xe4\xa7\x0e" - "\x18\x45\xab\x36\x03\x59\xa8\xbd" - "\x43\xf0\xd8\x2c\x1a\x69\x96\xbb" - "\x13\xdf\x6c\x33\x77\xdf\x25\x34" - "\x5b\xa5\x5b\x8c\xf9\x51\x05\xd4" - "\x8b\x8b\x44\x87\x49\xfc\xa0\x8f" - "\x45\x15\x5b\x40\x42\xc4\x09\x92" - "\x98\x0c\x4d\xf4\x26\x37\x1b\x13" - "\x76\x01\x93\x8d\x4f\xe6\xed\x18" - "\xd0\x79\x7b\x3f\x44\x50\xcb\xee" - "\xf7\x4a\xc9\x9e\xe0\x96\x74\xa7" - "\xe6\x93\xb2\x53\xca\x55\xa8\xdc" - "\x1e\x68\x07\x87\xb7\x2e\xc1\x08" - "\xb2\xa4\x5b\xaf\xc6\xdb\x5c\x66" - "\x41\x1c\x51\xd9\xb0\x07\x00\x0d" - "\xf0\x4c\xdc\x93\xde\xa9\x1e\x8e" - "\xd3\x22\x62\xd8\x8b\x88\x2c\xea" - "\x5e\xf1\x6e\x14\x40\xc7\xbe\xaa" - "\x42\x28\xd0\x26\x30\x78\x01\x9b" - "\x83\x07\xbc\x94\xc7\x57\xa2\x9f" - "\x03\x07\xff\x16\xff\x3c\x6e\x48" - "\x0a\xd0\xdd\x4c\xf6\x64\x9a\xf1" - "\xcd\x30\x12\x82\x2c\x38\xd3\x26" - "\x83\xdb\xab\x3e\xc6\xf8\xe6\xfa" - "\x77\x0a\x78\x82\x75\xf8\x63\x51" - "\x59\xd0\x8d\x24\x9f\x25\xe6\xa3" - "\x4c\xbc\x34\xfc\xe3\x10\xc7\x62" - "\xd4\x23\xc8\x3d\xa7\xc6\xa6\x0a" - "\x4f\x7e\x29\x9d\x6d\xbe\xb5\xf1" - "\xdf\xa4\x53\xfa\xc0\x23\x0f\x37" - "\x84\x68\xd0\xb5\xc8\xc6\xae\xf8" - "\xb7\x8d\xb3\x16\xfe\x8f\x87\xad" - "\xd0\xc1\x08\xee\x12\x1c\x9b\x1d" - "\x90\xf8\xd1\x63\xa4\x92\x3c\xf0" - "\xc7\x34\xd8\xf1\x14\xed\xa3\xbc" - "\x17\x7e\xd4\x62\x42\x54\x57\x2c" - "\x3e\x7a\x35\x35\x17\x0f\x0b\x7f" - "\x81\xa1\x3f\xd0\xcd\xc8\x3b\x96" - "\xe9\xe0\x4a\x04\xe1\xb6\x3c\xa1" - "\xd6\xca\xc4\xbd\xb6\xb5\x95\x34" - "\x12\x9d\xc5\x96\xf2\xdf\xba\x54" - "\x76\xd1\xb2\x6b\x3b\x39\xe0\xb9" - "\x18\x62\xfb\xf7\xfc\x12\xf1\x5f" - "\x7e\xc7\xe3\x59\x4c\xa6\xc2\x3d" - "\x40\x15\xf9\xa3\x95\x64\x4c\x74" - "\x8b\x73\x77\x33\x07\xa7\x04\x1d" - "\x33\x5a\x7e\x8f\xbd\x86\x01\x4f" - "\x3e\xb9\x27\x6f\xe2\x41\xf7\x09" - "\x67\xfd\x29\x28\xc5\xe4\xf6\x18" - "\x4c\x1b\x49\xb2\x9c\x5b\xf6\x81" - "\x4f\xbb\x5c\xcc\x0b\xdf\x84\x23" - "\x58\xd6\x28\x34\x93\x3a\x25\x97" - "\xdf\xb2\xc3\x9e\x97\x38\x0b\x7d" - "\x10\xb3\x54\x35\x23\x8c\x64\xee" - "\xf0\xd8\x66\xff\x8b\x22\xd2\x5b" - "\x05\x16\x3c\x89\xf7\xb1\x75\xaf" - "\xc0\xae\x6a\x4f\x3f\xaf\x9a\xf4" - "\xf4\x9a\x24\xd9\x80\x82\xc0\x12" - "\xde\x96\xd1\xbe\x15\x0b\x8d\x6a" - "\xd7\x12\xe4\x85\x9f\x83\xc9\xc3" - "\xff\x0b\xb5\xaf\x3b\xd8\x6d\x67" - "\x81\x45\xe6\xac\xec\xc1\x7b\x16" - "\x18\x0a\xce\x4b\xc0\x2e\x76\xbc" - "\x1b\xfa\xb4\x34\xb8\xfc\x3e\xc8" - "\x5d\x90\x71\x6d\x7a\x79\xef\x06", - .ksize =3D 1088, - .plaintext =3D "\xaa\x5d\x54\xcb\xea\x1e\x46\x0f" - "\x45\x87\x70\x51\x8a\x66\x7a\x33" - "\xb4\x18\xff\xa9\x82\xf9\x45\x4b" - "\x93\xae\x2e\x7f\xab\x98\xfe\xbf" - "\x01\xee\xe5\xa0\x37\x8f\x57\xa6" - "\xb0\x76\x0d\xa4\xd6\x28\x2b\x5d" - "\xe1\x03\xd6\x1c\x6f\x34\x0d\xe7" - "\x61\x2d\x2e\xe5\xae\x5d\x47\xc7" - "\x80\x4b\x18\x8f\xa8\x99\xbc\x28" - "\xed\x1d\x9d\x86\x7d\xd7\x41\xd1" - "\xe0\x2b\xe1\x8c\x93\x2a\xa7\x80" - "\xe1\x07\xa0\xa9\x9f\x8c\x8d\x1a" - "\x55\xfc\x6b\x24\x7a\xbd\x3e\x51" - "\x68\x4b\x26\x59\xc8\xa7\x16\xd9" - "\xb9\x61\x13\xde\x8b\x63\x1c\xf6" - "\x60\x01\xfb\x08\xb3\x5b\x0a\xbf" - "\x34\x73\xda\x87\x87\x3d\x6f\x97" - "\x4a\x0c\xa3\x58\x20\xa2\xc0\x81" - "\x5b\x8c\xef\xa9\xc2\x01\x1e\x64" - "\x83\x8c\xbc\x03\xb6\xd0\x29\x9f" - "\x54\xe2\xce\x8b\xc2\x07\x85\x78" - "\x25\x38\x96\x4c\xb4\xbe\x17\x4a" - "\x65\xa6\xfa\x52\x9d\x66\x9d\x65" - "\x4a\xd1\x01\x01\xf0\xcb\x13\xcc" - "\xa5\x82\xf3\xf2\x66\xcd\x3f\x9d" - "\xd1\xaa\xe4\x67\xea\xf2\xad\x88" - "\x56\x76\xa7\x9b\x59\x3c\xb1\x5d" - "\x78\xfd\x69\x79\x74\x78\x43\x26" - "\x7b\xde\x3f\xf1\xf5\x4e\x14\xd9" - "\x15\xf5\x75\xb5\x2e\x19\xf3\x0c" - "\x48\x72\xd6\x71\x6d\x03\x6e\xaa" - "\xa7\x08\xf9\xaa\x70\xa3\x0f\x4d" - "\x12\x8a\xdd\xe3\x39\x73\x7e\xa7" - "\xea\x1f\x6d\x06\x26\x2a\xf2\xc5" - "\x52\xb4\xbf\xfd\x52\x0c\x06\x60" - "\x90\xd1\xb2\x7b\x56\xae\xac\x58" - "\x5a\x6b\x50\x2a\xf5\xe0\x30\x3c" - "\x2a\x98\x0f\x1b\x5b\x0a\x84\x6c" - "\x31\xae\x92\xe2\xd4\xbb\x7f\x59" - "\x26\x10\xb9\x89\x37\x68\x26\xbf" - "\x41\xc8\x49\xc4\x70\x35\x7d\xff" - "\x2d\x7f\xf6\x8a\x93\x68\x8c\x78" - "\x0d\x53\xce\x7d\xff\x7d\xfb\xae" - "\x13\x1b\x75\xc4\x78\xd7\x71\xd8" - "\xea\xd3\xf4\x9d\x95\x64\x8e\xb4" - "\xde\xb8\xe4\xa6\x68\xc8\xae\x73" - "\x58\xaf\xa8\xb0\x5a\x20\xde\x87" - "\x43\xb9\x0f\xe3\xad\x41\x4b\xd5" - "\xb7\xad\x16\x00\xa6\xff\xf6\x74" - "\xbf\x8c\x9f\xb3\x58\x1b\xb6\x55" - "\xa9\x90\x56\x28\xf0\xb5\x13\x4e" - "\x9e\xf7\x25\x86\xe0\x07\x7b\x98" - "\xd8\x60\x5d\x38\x95\x3c\xe4\x22" - "\x16\x2f\xb2\xa2\xaf\xe8\x90\x17" - "\xec\x11\x83\x1a\xf4\xa9\x26\xda" - "\x39\x72\xf5\x94\x61\x05\x51\xec" - "\xa8\x30\x8b\x2c\x13\xd0\x72\xac" - "\xb9\xd2\xa0\x4c\x4b\x78\xe8\x6e" - "\x04\x85\xe9\x04\x49\x82\x91\xff" - "\x89\xe5\xab\x4c\xaa\x37\x03\x12" - "\xca\x8b\x74\x10\xfd\x9e\xd9\x7b" - "\xcb\xdb\x82\x6e\xce\x2e\x33\x39" - "\xce\xd2\x84\x6e\x34\x71\x51\x6e" - "\x0d\xd6\x01\x87\xc7\xfa\x0a\xd3" - "\xad\x36\xf3\x4c\x9f\x96\x5e\x62" - "\x62\x54\xc3\x03\x78\xd6\xab\xdd" - "\x89\x73\x55\x25\x30\xf8\xa7\xe6" - "\x4f\x11\x0c\x7c\x0a\xa1\x2b\x7b" - "\x3d\x0d\xde\x81\xd4\x9d\x0b\xae" - "\xdf\x00\xf9\x4c\xb6\x90\x8e\x16" - "\xcb\x11\xc8\xd1\x2e\x73\x13\x75" - "\x75\x3e\xaa\xf5\xee\x02\xb3\x18" - "\xa6\x2d\xf5\x3b\x51\xd1\x1f\x47" - "\x6b\x2c\xdb\xc4\x10\xe0\xc8\xba" - "\x9d\xac\xb1\x9d\x75\xd5\x41\x0e" - "\x7e\xbe\x18\x5b\xa4\x1f\xf8\x22" - "\x4c\xc1\x68\xda\x6d\x51\x34\x6c" - "\x19\x59\xec\xb5\xb1\xec\xa7\x03" - "\xca\x54\x99\x63\x05\x6c\xb1\xac" - "\x9c\x31\xd6\xdb\xba\x7b\x14\x12" - "\x7a\xc3\x2f\xbf\x8d\xdc\x37\x46" - "\xdb\xd2\xbc\xd4\x2f\xab\x30\xd5" - "\xed\x34\x99\x8e\x83\x3e\xbe\x4c" - "\x86\x79\x58\xe0\x33\x8d\x9a\xb8" - "\xa9\xa6\x90\x46\xa2\x02\xb8\xdd" - "\xf5\xf9\x1a\x5c\x8c\x01\xaa\x6e" - "\xb4\x22\x12\xf5\x0c\x1b\x9b\x7a" - "\xc3\x80\xf3\x06\x00\x5f\x30\xd5" - "\x06\xdb\x7d\x82\xc2\xd4\x0b\x4c" - "\x5f\xe9\xc5\xf5\xdf\x97\x12\xbf" - "\x56\xaf\x9b\x69\xcd\xee\x30\xb4" - "\xa8\x71\xff\x3e\x7d\x73\x7a\xb4" - "\x0d\xa5\x46\x7a\xf3\xf4\x15\x87" - "\x5d\x93\x2b\x8c\x37\x64\xb5\xdd" - "\x48\xd1\xe5\x8c\xae\xd4\xf1\x76" - "\xda\xf4\xba\x9e\x25\x0e\xad\xa3" - "\x0d\x08\x7c\xa8\x82\x16\x8d\x90" - "\x56\x40\x16\x84\xe7\x22\x53\x3a" - "\x58\xbc\xb9\x8f\x33\xc8\xc2\x84" - "\x22\xe6\x0d\xe7\xb3\xdc\x5d\xdf" - "\xd7\x2a\x36\xe4\x16\x06\x07\xd2" - "\x97\x60\xb2\xf5\x5e\x14\xc9\xfd" - "\x8b\x05\xd1\xce\xee\x9a\x65\x99" - "\xb7\xae\x19\xb7\xc8\xbc\xd5\xa2" - "\x7b\x95\xe1\xcc\xba\x0d\xdc\x8a" - "\x1d\x59\x52\x50\xaa\x16\x02\x82" - "\xdf\x61\x33\x2e\x44\xce\x49\xc7" - "\xe5\xc6\x2e\x76\xcf\x80\x52\xf0" - "\x3d\x17\x34\x47\x3f\xd3\x80\x48" - "\xa2\xba\xd5\xc7\x7b\x02\x28\xdb" - "\xac\x44\xc7\x6e\x05\x5c\xc2\x79" - "\xb3\x7d\x6a\x47\x77\x66\xf1\x38" - "\xf0\xf5\x4f\x27\x1a\x31\xca\x6c" - "\x72\x95\x92\x8e\x3f\xb0\xec\x1d" - "\xc7\x2a\xff\x73\xee\xdf\x55\x80" - "\x93\xd2\xbd\x34\xd3\x9f\x00\x51" - "\xfb\x2e\x41\xba\x6c\x5a\x7c\x17" - "\x7f\xe6\x70\xac\x8d\x39\x3f\x77" - "\xe2\x23\xac\x8f\x72\x4e\xe4\x53" - "\xcc\xf1\x1b\xf1\x35\xfe\x52\xa4" - "\xd6\xb8\x40\x6b\xc1\xfd\xa0\xa1" - "\xf5\x46\x65\xc2\x50\xbb\x43\xe2" - "\xd1\x43\x28\x34\x74\xf5\x87\xa0" - "\xf2\x5e\x27\x3b\x59\x2b\x3e\x49" - "\xdf\x46\xee\xaf\x71\xd7\x32\x36" - "\xc7\x14\x0b\x58\x6e\x3e\x2d\x41" - "\xfa\x75\x66\x3a\x54\xe0\xb2\xb9" - "\xaf\xdd\x04\x80\x15\x19\x3f\x6f" - "\xce\x12\xb4\xd8\xe8\x89\x3c\x05" - "\x30\xeb\xf3\x3d\xcd\x27\xec\xdc" - "\x56\x70\x12\xcf\x78\x2b\x77\xbf" - "\x22\xf0\x1b\x17\x9c\xcc\xd6\x1b" - "\x2d\x3d\xa0\x3b\xd8\xc9\x70\xa4" - "\x7a\x3e\x07\xb9\x06\xc3\xfa\xb0" - "\x33\xee\xc1\xd8\xf6\xe0\xf0\xb2" - "\x61\x12\x69\xb0\x5f\x28\x99\xda" - "\xc3\x61\x48\xfa\x07\x16\x03\xc4" - "\xa8\xe1\x3c\xe8\x0e\x64\x15\x30" - "\xc1\x9d\x84\x2f\x73\x98\x0e\x3a" - "\xf2\x86\x21\xa4\x9e\x1d\xb5\x86" - "\x16\xdb\x2b\x9a\x06\x64\x8e\x79" - "\x8d\x76\x3e\xc3\xc2\x64\x44\xe3" - "\xda\xbc\x1a\x52\xd7\x61\x03\x65" - "\x54\x32\x77\x01\xed\x9d\x8a\x43" - "\x25\x24\xe3\xc1\xbe\xb8\x2f\xcb" - "\x89\x14\x64\xab\xf6\xa0\x6e\x02" - "\x57\xe4\x7d\xa9\x4e\x9a\x03\x36" - "\xad\xf1\xb1\xfc\x0b\xe6\x79\x51" - "\x9f\x81\x77\xc4\x14\x78\x9d\xbf" - "\xb6\xd6\xa3\x8c\xba\x0b\x26\xe7" - "\xc8\xb9\x5c\xcc\xe1\x5f\xd5\xc6" - "\xc4\xca\xc2\xa3\x45\xba\x94\x13" - "\xb2\x8f\xc3\x54\x01\x09\xe7\x8b" - "\xda\x2a\x0a\x11\x02\x43\xcb\x57" - "\xc9\xcc\xb5\x5c\xab\xc4\xec\x54" - "\x00\x06\x34\xe1\x6e\x03\x89\x7c" - "\xc6\xfb\x6a\xc7\x60\x43\xd6\xc5" - "\xb5\x68\x72\x89\x8f\x42\xc3\x74" - "\xbd\x25\xaa\x9f\x67\xb5\xdf\x26" - "\x20\xe8\xb7\x01\x3c\xe4\x77\xce" - "\xc4\x65\xa7\x23\x79\xea\x33\xc7" - "\x82\x14\x5c\x82\xf2\x4e\x3d\xf6" - "\xc6\x4a\x0e\x29\xbb\xec\x44\xcd" - "\x2f\xd1\x4f\x21\x71\xa9\xce\x0f" - "\x5c\xf2\x72\x5c\x08\x2e\x21\xd2" - "\xc3\x29\x13\xd8\xac\xc3\xda\x13" - "\x1a\x9d\xa7\x71\x1d\x27\x1d\x27" - "\x1d\xea\xab\x44\x79\xad\xe5\xeb" - "\xef\x1f\x22\x0a\x44\x4f\xcb\x87" - "\xa7\x58\x71\x0e\x66\xf8\x60\xbf" - "\x60\x74\x4a\xb4\xec\x2e\xfe\xd3" - "\xf5\xb8\xfe\x46\x08\x50\x99\x6c" - "\x66\xa5\xa8\x34\x44\xb5\xe5\xf0" - "\xdd\x2c\x67\x4e\x35\x96\x8e\x67" - "\x48\x3f\x5f\x37\x44\x60\x51\x2e" - "\x14\x91\x5e\x57\xc3\x0e\x79\x77" - "\x2f\x03\xf4\xe2\x1c\x72\xbf\x85" - "\x5d\xd3\x17\xdf\x6c\xc5\x70\x24" - "\x42\xdf\x51\x4e\x2a\xb2\xd2\x5b" - "\x9e\x69\x83\x41\x11\xfe\x73\x22" - "\xde\x8a\x9e\xd8\x8a\xfb\x20\x38" - "\xd8\x47\x6f\xd5\xed\x8f\x41\xfd" - "\x13\x7a\x18\x03\x7d\x0f\xcd\x7d" - "\xa6\x7d\x31\x9e\xf1\x8f\x30\xa3" - "\x8b\x4c\x24\xb7\xf5\x48\xd7\xd9" - "\x12\xe7\x84\x97\x5c\x31\x6d\xfb" - "\xdf\xf3\xd3\xd1\xd5\x0c\x30\x06" - "\x01\x6a\xbc\x6c\x78\x7b\xa6\x50" - "\xfa\x0f\x3c\x42\x2d\xa5\xa3\x3b" - "\xcf\x62\x50\xff\x71\x6d\xe7\xda" - "\x27\xab\xc6\x67\x16\x65\x68\x64" - "\xc7\xd5\x5f\x81\xa9\xf6\x65\xb3" - "\x5e\x43\x91\x16\xcd\x3d\x55\x37" - "\x55\xb3\xf0\x28\xc5\x54\x19\xc0" - "\xe0\xd6\x2a\x61\xd4\xc8\x72\x51" - "\xe9\xa1\x7b\x48\x21\xad\x44\x09" - "\xe4\x01\x61\x3c\x8a\x5b\xf9\xa1" - "\x6e\x1b\xdf\xc0\x04\xa8\x8b\xf2" - "\x21\xbe\x34\x7b\xfc\xa1\xcd\xc9" - "\xa9\x96\xf4\xa4\x4c\xf7\x4e\x8f" - "\x84\xcc\xd3\xa8\x92\x77\x8f\x36" - "\xe2\x2e\x8c\x33\xe8\x84\xa6\x0c" - "\x6c\x8a\xda\x14\x32\xc2\x96\xff" - "\xc6\x4a\xc2\x9b\x30\x7f\xd1\x29" - "\xc0\xd5\x78\x41\x00\x80\x80\x03" - "\x2a\xb1\xde\x26\x03\x48\x49\xee" - "\x57\x14\x76\x51\x3c\x36\x5d\x0a" - "\x5c\x9f\xe8\xd8\x53\xdb\x4f\xd4" - "\x38\xbf\x66\xc9\x75\x12\x18\x75" - "\x34\x2d\x93\x22\x96\x51\x24\x6e" - "\x4e\xd9\x30\xea\x67\xff\x92\x1c" - "\x16\x26\xe9\xb5\x33\xab\x8c\x22" - "\x47\xdb\xa0\x2c\x08\xf0\x12\x69" - "\x7e\x93\x52\xda\xa5\xe5\xca\xc1" - "\x0f\x55\x2a\xbd\x09\x30\x88\x1b" - "\x9c\xc6\x9f\xe6\xdb\xa6\x92\xeb" - "\xf4\xbd\x5c\xc4\xdb\xc6\x71\x09" - "\xab\x5e\x48\x0c\xed\x6f\xda\x8e" - "\x8d\x0c\x98\x71\x7d\x10\xd0\x9c" - "\x20\x9b\x79\x53\x26\x5d\xb9\x85" - "\x8a\x31\xb8\xc5\x1c\x97\xde\x88" - "\x61\x55\x7f\x7c\x21\x06\xea\xc4" - "\x5f\xaf\xf2\xf0\xd5\x5e\x7d\xb4" - "\x6e\xcf\xe9\xae\x1b\x0e\x11\x80" - "\xc1\x9a\x74\x7e\x52\x6f\xa0\xb7" - "\x24\xcd\x8d\x0a\x11\x40\x63\x72" - "\xfa\xe2\xc5\xb3\x94\xef\x29\xa2" - "\x1a\x23\x43\x04\x37\x55\x0d\xe9" - "\x83\xb2\x29\x51\x49\x64\xa0\xbd" - "\xde\x73\xfd\xa5\x7c\x95\x70\x62" - "\x58\xdc\xe2\xd0\xbf\x98\xf5\x8a" - "\x6a\xfd\xce\xa8\x0e\x42\x2a\xeb" - "\xd2\xff\x83\x27\x53\x5c\xa0\x6e" - "\x93\xef\xe2\xb9\x5d\x35\xd6\x98" - "\xf6\x71\x19\x7a\x54\xa1\xa7\xe8" - "\x09\xfe\xf6\x9e\xc7\xbd\x3e\x29" - "\xbd\x6b\x17\xf4\xe7\x3e\x10\x5c" - "\xc1\xd2\x59\x4f\x4b\x12\x1a\x5b" - "\x50\x80\x59\xb9\xec\x13\x66\xa8" - "\xd2\x31\x7b\x6a\x61\x22\xdd\x7d" - "\x61\xee\x87\x16\x46\x9f\xf9\xc7" - "\x41\xee\x74\xf8\xd0\x96\x2c\x76" - "\x2a\xac\x7d\x6e\x9f\x0e\x7f\x95" - "\xfe\x50\x16\xb2\x23\xca\x62\xd5" - "\x68\xcf\x07\x3f\x3f\x97\x85\x2a" - "\x0c\x25\x45\xba\xdb\x32\xcb\x83" - "\x8c\x4f\xe0\x6d\x9a\x99\xf9\xc9" - "\xda\xd4\x19\x31\xc1\x7c\x6d\xd9" - "\x9c\x56\xd3\xec\xc1\x81\x4c\xed" - "\x28\x9d\x87\xeb\x19\xd7\x1a\x4f" - "\x04\x6a\xcb\x1f\xcf\x1f\xa2\x16" - "\xfc\x2a\x0d\xa1\x14\x2d\xfa\xc5" - "\x5a\xd2\xc5\xf9\x19\x7c\x20\x1f" - "\x2d\x10\xc0\x66\x7c\xd9\x2d\xe5" - "\x88\x70\x59\xa7\x85\xd5\x2e\x7c" - "\x5c\xe3\xb7\x12\xd6\x97\x3f\x29", - .psize =3D 2048, - .digest =3D "\x37\x90\x92\xc2\xeb\x01\x87\xd9" - "\x95\xc7\x91\xc3\x17\x8b\x38\x52", - } -}; - - /* * DES test vectors. */ static const struct cipher_testvec des_tv_template[] =3D { { /* From Applied Cryptography */ --=20 2.52.0 From nobody Tue Dec 16 16:35:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D77A23909C; Thu, 11 Dec 2025 01:20:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416059; cv=none; b=j5jRMCtzwepl7eWpM6f1pgmYNXwhms1omKpumzrG9kS4v72hBSFxgZREfkfml4jnNBvMzpOREVTp8xvLM7oA28MONwCKUMS1ZzqAy9oMenJdt4TzCdd1yvXsXLCoOEeTnHSJTg6XLvSeMMYNaLKrpyCWJ3y5vlH7eFciB/1jg7Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765416059; c=relaxed/simple; bh=c7Wxsv2qMnAP++ftzBA0W0ugHU/R9/cZbMizhIM4xBw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uYtjaAjj+DHzHJUrHDFIwmYvXfhZ2YrBoRjseYxXPsxupq6TUOHjIDJF9NAT4KxCHTtohsRdfyvOmFzXfsN6TjmR5ef2qHLRj59KXZlmSzza5zNpvX3YRAKCB4fCJvNi1zjTcBvlNLxP+Ev4SwYW/ZI0KEP2WTqcOA4N5JT7Lf8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=d7WuFitk; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="d7WuFitk" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0CC50C19423; Thu, 11 Dec 2025 01:20:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765416058; bh=c7Wxsv2qMnAP++ftzBA0W0ugHU/R9/cZbMizhIM4xBw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d7WuFitkE7uaxLhYqf6hpILerfgFpEIQLzFcN1Ho/WhQzTmIywxWkHO4r2Xbs24HE dvusjL9951+QWK+A13fhL/kZgFJT5ikI+0ZBC6MAmf5SUNjxAxgkpFWmFIgGI9NPd7 vg5QAFDRFCXO1PRP+lUIuQ6xk5A5+fjHmriUDpyzPD3pGmImYY25nLMgv/gbgVXt6p pSSbVcG3FFWZURfrGYgJvgUtPdgCIdg/l5ekhSaIbRk8Kpun5K+U0k1OldieLSE9ms 3fm37MMtO746y4O4+gMdUGbrTNRpeefwoc+ha+bKHx5SZzmDEiwZ4eCMVRvjkzqwqA ojCucoKSpYEvQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Herbert Xu , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Eric Biggers Subject: [PATCH 12/12] fscrypt: Drop obsolete recommendation to enable optimized NHPoly1305 Date: Wed, 10 Dec 2025 17:18:44 -0800 Message-ID: <20251211011846.8179-13-ebiggers@kernel.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251211011846.8179-1-ebiggers@kernel.org> References: <20251211011846.8179-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" CONFIG_CRYPTO_NHPOLY1305_NEON, CONFIG_CRYPTO_NHPOLY1305_SSE2, and CONFIG_CRYPTO_NHPOLY1305_AVX2 no longer exist. The equivalent optimizations are now just enabled automatically when Adiantum support is enabled. Update the fscrypt documentation accordingly. Signed-off-by: Eric Biggers --- Documentation/filesystems/fscrypt.rst | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesyst= ems/fscrypt.rst index 70af896822e1..c0dd35f1af12 100644 --- a/Documentation/filesystems/fscrypt.rst +++ b/Documentation/filesystems/fscrypt.rst @@ -453,15 +453,10 @@ API, but the filenames mode still does. - x86: CONFIG_CRYPTO_AES_NI_INTEL =20 - Adiantum - Mandatory: - CONFIG_CRYPTO_ADIANTUM - - Recommended: - - arm32: CONFIG_CRYPTO_NHPOLY1305_NEON - - arm64: CONFIG_CRYPTO_NHPOLY1305_NEON - - x86: CONFIG_CRYPTO_NHPOLY1305_SSE2 - - x86: CONFIG_CRYPTO_NHPOLY1305_AVX2 =20 - AES-128-CBC-ESSIV and AES-128-CBC-CTS: - Mandatory: - CONFIG_CRYPTO_ESSIV - CONFIG_CRYPTO_SHA256 or another SHA-256 implementation --=20 2.52.0