summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArd Biesheuvel <ard.biesheuvel@linaro.org>2019-07-03 04:55:07 -0400
committerHerbert Xu <herbert@gondor.apana.org.au>2019-07-26 01:03:56 -0400
commit520c1993bbe620e39fd93de1a01b9e0dc0b97aa6 (patch)
tree7ac1589796ea1464168efa7c8f6ed0ae1d99ecc3
parent5cb97700beaa005ceb2a127b6f53536a4544c9d8 (diff)
crypto: aegis128l/aegis256 - remove x86 and generic implementations
Three variants of AEGIS were proposed for the CAESAR competition, and only one was selected for the final portfolio: AEGIS128. The other variants, AEGIS128L and AEGIS256, are not likely to ever turn up in networking protocols or other places where interoperability between Linux and other systems is a concern, nor are they likely to be subjected to further cryptanalysis. However, uninformed users may think that AEGIS128L (which is faster) is equally fit for use. So let's remove them now, before anyone starts using them and we are forced to support them forever. Note that there are no known flaws in the algorithms or in any of these implementations, but they have simply outlived their usefulness. Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat
-rw-r--r--arch/x86/crypto/Makefile4
-rw-r--r--arch/x86/crypto/aegis128l-aesni-asm.S823
-rw-r--r--arch/x86/crypto/aegis128l-aesni-glue.c293
-rw-r--r--arch/x86/crypto/aegis256-aesni-asm.S700
-rw-r--r--arch/x86/crypto/aegis256-aesni-glue.c293
-rw-r--r--crypto/Kconfig30
-rw-r--r--crypto/Makefile2
-rw-r--r--crypto/aegis128l.c522
-rw-r--r--crypto/aegis256.c473
-rw-r--r--crypto/testmgr.c12
-rw-r--r--crypto/testmgr.h984
11 files changed, 0 insertions, 4136 deletions
diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile
index 6f1d825fbb09..759b1a927826 100644
--- a/arch/x86/crypto/Makefile
+++ b/arch/x86/crypto/Makefile
@@ -36,8 +36,6 @@ obj-$(CONFIG_CRYPTO_CRCT10DIF_PCLMUL) += crct10dif-pclmul.o
36obj-$(CONFIG_CRYPTO_POLY1305_X86_64) += poly1305-x86_64.o 36obj-$(CONFIG_CRYPTO_POLY1305_X86_64) += poly1305-x86_64.o
37 37
38obj-$(CONFIG_CRYPTO_AEGIS128_AESNI_SSE2) += aegis128-aesni.o 38obj-$(CONFIG_CRYPTO_AEGIS128_AESNI_SSE2) += aegis128-aesni.o
39obj-$(CONFIG_CRYPTO_AEGIS128L_AESNI_SSE2) += aegis128l-aesni.o
40obj-$(CONFIG_CRYPTO_AEGIS256_AESNI_SSE2) += aegis256-aesni.o
41 39
42obj-$(CONFIG_CRYPTO_NHPOLY1305_SSE2) += nhpoly1305-sse2.o 40obj-$(CONFIG_CRYPTO_NHPOLY1305_SSE2) += nhpoly1305-sse2.o
43obj-$(CONFIG_CRYPTO_NHPOLY1305_AVX2) += nhpoly1305-avx2.o 41obj-$(CONFIG_CRYPTO_NHPOLY1305_AVX2) += nhpoly1305-avx2.o
@@ -70,8 +68,6 @@ chacha-x86_64-y := chacha-ssse3-x86_64.o chacha_glue.o
70serpent-sse2-x86_64-y := serpent-sse2-x86_64-asm_64.o serpent_sse2_glue.o 68serpent-sse2-x86_64-y := serpent-sse2-x86_64-asm_64.o serpent_sse2_glue.o
71 69
72aegis128-aesni-y := aegis128-aesni-asm.o aegis128-aesni-glue.o 70aegis128-aesni-y := aegis128-aesni-asm.o aegis128-aesni-glue.o
73aegis128l-aesni-y := aegis128l-aesni-asm.o aegis128l-aesni-glue.o
74aegis256-aesni-y := aegis256-aesni-asm.o aegis256-aesni-glue.o
75 71
76nhpoly1305-sse2-y := nh-sse2-x86_64.o nhpoly1305-sse2-glue.o 72nhpoly1305-sse2-y := nh-sse2-x86_64.o nhpoly1305-sse2-glue.o
77 73
diff --git a/arch/x86/crypto/aegis128l-aesni-asm.S b/arch/x86/crypto/aegis128l-aesni-asm.S
deleted file mode 100644
index 1461ef00c0e8..000000000000
--- a/arch/x86/crypto/aegis128l-aesni-asm.S
+++ /dev/null
@@ -1,823 +0,0 @@
1/* SPDX-License-Identifier: GPL-2.0-only */
2/*
3 * AES-NI + SSE2 implementation of AEGIS-128L
4 *
5 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
6 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
7 */
8
9#include <linux/linkage.h>
10#include <asm/frame.h>
11
12#define STATE0 %xmm0
13#define STATE1 %xmm1
14#define STATE2 %xmm2
15#define STATE3 %xmm3
16#define STATE4 %xmm4
17#define STATE5 %xmm5
18#define STATE6 %xmm6
19#define STATE7 %xmm7
20#define MSG0 %xmm8
21#define MSG1 %xmm9
22#define T0 %xmm10
23#define T1 %xmm11
24#define T2 %xmm12
25#define T3 %xmm13
26
27#define STATEP %rdi
28#define LEN %rsi
29#define SRC %rdx
30#define DST %rcx
31
32.section .rodata.cst16.aegis128l_const, "aM", @progbits, 32
33.align 16
34.Laegis128l_const_0:
35 .byte 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d
36 .byte 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62
37.Laegis128l_const_1:
38 .byte 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1
39 .byte 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd
40
41.section .rodata.cst16.aegis128l_counter, "aM", @progbits, 16
42.align 16
43.Laegis128l_counter0:
44 .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
45 .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
46.Laegis128l_counter1:
47 .byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
48 .byte 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
49
50.text
51
52/*
53 * __load_partial: internal ABI
54 * input:
55 * LEN - bytes
56 * SRC - src
57 * output:
58 * MSG0 - first message block
59 * MSG1 - second message block
60 * changed:
61 * T0
62 * %r8
63 * %r9
64 */
65__load_partial:
66 xor %r9d, %r9d
67 pxor MSG0, MSG0
68 pxor MSG1, MSG1
69
70 mov LEN, %r8
71 and $0x1, %r8
72 jz .Lld_partial_1
73
74 mov LEN, %r8
75 and $0x1E, %r8
76 add SRC, %r8
77 mov (%r8), %r9b
78
79.Lld_partial_1:
80 mov LEN, %r8
81 and $0x2, %r8
82 jz .Lld_partial_2
83
84 mov LEN, %r8
85 and $0x1C, %r8
86 add SRC, %r8
87 shl $0x10, %r9
88 mov (%r8), %r9w
89
90.Lld_partial_2:
91 mov LEN, %r8
92 and $0x4, %r8
93 jz .Lld_partial_4
94
95 mov LEN, %r8
96 and $0x18, %r8
97 add SRC, %r8
98 shl $32, %r9
99 mov (%r8), %r8d
100 xor %r8, %r9
101
102.Lld_partial_4:
103 movq %r9, MSG0
104
105 mov LEN, %r8
106 and $0x8, %r8
107 jz .Lld_partial_8
108
109 mov LEN, %r8
110 and $0x10, %r8
111 add SRC, %r8
112 pslldq $8, MSG0
113 movq (%r8), T0
114 pxor T0, MSG0
115
116.Lld_partial_8:
117 mov LEN, %r8
118 and $0x10, %r8
119 jz .Lld_partial_16
120
121 movdqa MSG0, MSG1
122 movdqu (SRC), MSG0
123
124.Lld_partial_16:
125 ret
126ENDPROC(__load_partial)
127
128/*
129 * __store_partial: internal ABI
130 * input:
131 * LEN - bytes
132 * DST - dst
133 * output:
134 * T0 - first message block
135 * T1 - second message block
136 * changed:
137 * %r8
138 * %r9
139 * %r10
140 */
141__store_partial:
142 mov LEN, %r8
143 mov DST, %r9
144
145 cmp $16, %r8
146 jl .Lst_partial_16
147
148 movdqu T0, (%r9)
149 movdqa T1, T0
150
151 sub $16, %r8
152 add $16, %r9
153
154.Lst_partial_16:
155 movq T0, %r10
156
157 cmp $8, %r8
158 jl .Lst_partial_8
159
160 mov %r10, (%r9)
161 psrldq $8, T0
162 movq T0, %r10
163
164 sub $8, %r8
165 add $8, %r9
166
167.Lst_partial_8:
168 cmp $4, %r8
169 jl .Lst_partial_4
170
171 mov %r10d, (%r9)
172 shr $32, %r10
173
174 sub $4, %r8
175 add $4, %r9
176
177.Lst_partial_4:
178 cmp $2, %r8
179 jl .Lst_partial_2
180
181 mov %r10w, (%r9)
182 shr $0x10, %r10
183
184 sub $2, %r8
185 add $2, %r9
186
187.Lst_partial_2:
188 cmp $1, %r8
189 jl .Lst_partial_1
190
191 mov %r10b, (%r9)
192
193.Lst_partial_1:
194 ret
195ENDPROC(__store_partial)
196
197.macro update
198 movdqa STATE7, T0
199 aesenc STATE0, STATE7
200 aesenc STATE1, STATE0
201 aesenc STATE2, STATE1
202 aesenc STATE3, STATE2
203 aesenc STATE4, STATE3
204 aesenc STATE5, STATE4
205 aesenc STATE6, STATE5
206 aesenc T0, STATE6
207.endm
208
209.macro update0
210 update
211 pxor MSG0, STATE7
212 pxor MSG1, STATE3
213.endm
214
215.macro update1
216 update
217 pxor MSG0, STATE6
218 pxor MSG1, STATE2
219.endm
220
221.macro update2
222 update
223 pxor MSG0, STATE5
224 pxor MSG1, STATE1
225.endm
226
227.macro update3
228 update
229 pxor MSG0, STATE4
230 pxor MSG1, STATE0
231.endm
232
233.macro update4
234 update
235 pxor MSG0, STATE3
236 pxor MSG1, STATE7
237.endm
238
239.macro update5
240 update
241 pxor MSG0, STATE2
242 pxor MSG1, STATE6
243.endm
244
245.macro update6
246 update
247 pxor MSG0, STATE1
248 pxor MSG1, STATE5
249.endm
250
251.macro update7
252 update
253 pxor MSG0, STATE0
254 pxor MSG1, STATE4
255.endm
256
257.macro state_load
258 movdqu 0x00(STATEP), STATE0
259 movdqu 0x10(STATEP), STATE1
260 movdqu 0x20(STATEP), STATE2
261 movdqu 0x30(STATEP), STATE3
262 movdqu 0x40(STATEP), STATE4
263 movdqu 0x50(STATEP), STATE5
264 movdqu 0x60(STATEP), STATE6
265 movdqu 0x70(STATEP), STATE7
266.endm
267
268.macro state_store s0 s1 s2 s3 s4 s5 s6 s7
269 movdqu \s7, 0x00(STATEP)
270 movdqu \s0, 0x10(STATEP)
271 movdqu \s1, 0x20(STATEP)
272 movdqu \s2, 0x30(STATEP)
273 movdqu \s3, 0x40(STATEP)
274 movdqu \s4, 0x50(STATEP)
275 movdqu \s5, 0x60(STATEP)
276 movdqu \s6, 0x70(STATEP)
277.endm
278
279.macro state_store0
280 state_store STATE0 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7
281.endm
282
283.macro state_store1
284 state_store STATE7 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6
285.endm
286
287.macro state_store2
288 state_store STATE6 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
289.endm
290
291.macro state_store3
292 state_store STATE5 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4
293.endm
294
295.macro state_store4
296 state_store STATE4 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3
297.endm
298
299.macro state_store5
300 state_store STATE3 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2
301.endm
302
303.macro state_store6
304 state_store STATE2 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1
305.endm
306
307.macro state_store7
308 state_store STATE1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0
309.endm
310
311/*
312 * void crypto_aegis128l_aesni_init(void *state, const void *key, const void *iv);
313 */
314ENTRY(crypto_aegis128l_aesni_init)
315 FRAME_BEGIN
316
317 /* load key: */
318 movdqa (%rsi), MSG1
319 movdqa MSG1, STATE0
320 movdqa MSG1, STATE4
321 movdqa MSG1, STATE5
322 movdqa MSG1, STATE6
323 movdqa MSG1, STATE7
324
325 /* load IV: */
326 movdqu (%rdx), MSG0
327 pxor MSG0, STATE0
328 pxor MSG0, STATE4
329
330 /* load the constants: */
331 movdqa .Laegis128l_const_0, STATE2
332 movdqa .Laegis128l_const_1, STATE1
333 movdqa STATE1, STATE3
334 pxor STATE2, STATE5
335 pxor STATE1, STATE6
336 pxor STATE2, STATE7
337
338 /* update 10 times with IV and KEY: */
339 update0
340 update1
341 update2
342 update3
343 update4
344 update5
345 update6
346 update7
347 update0
348 update1
349
350 state_store1
351
352 FRAME_END
353 ret
354ENDPROC(crypto_aegis128l_aesni_init)
355
356.macro ad_block a i
357 movdq\a (\i * 0x20 + 0x00)(SRC), MSG0
358 movdq\a (\i * 0x20 + 0x10)(SRC), MSG1
359 update\i
360 sub $0x20, LEN
361 cmp $0x20, LEN
362 jl .Lad_out_\i
363.endm
364
365/*
366 * void crypto_aegis128l_aesni_ad(void *state, unsigned int length,
367 * const void *data);
368 */
369ENTRY(crypto_aegis128l_aesni_ad)
370 FRAME_BEGIN
371
372 cmp $0x20, LEN
373 jb .Lad_out
374
375 state_load
376
377 mov SRC, %r8
378 and $0xf, %r8
379 jnz .Lad_u_loop
380
381.align 8
382.Lad_a_loop:
383 ad_block a 0
384 ad_block a 1
385 ad_block a 2
386 ad_block a 3
387 ad_block a 4
388 ad_block a 5
389 ad_block a 6
390 ad_block a 7
391
392 add $0x100, SRC
393 jmp .Lad_a_loop
394
395.align 8
396.Lad_u_loop:
397 ad_block u 0
398 ad_block u 1
399 ad_block u 2
400 ad_block u 3
401 ad_block u 4
402 ad_block u 5
403 ad_block u 6
404 ad_block u 7
405
406 add $0x100, SRC
407 jmp .Lad_u_loop
408
409.Lad_out_0:
410 state_store0
411 FRAME_END
412 ret
413
414.Lad_out_1:
415 state_store1
416 FRAME_END
417 ret
418
419.Lad_out_2:
420 state_store2
421 FRAME_END
422 ret
423
424.Lad_out_3:
425 state_store3
426 FRAME_END
427 ret
428
429.Lad_out_4:
430 state_store4
431 FRAME_END
432 ret
433
434.Lad_out_5:
435 state_store5
436 FRAME_END
437 ret
438
439.Lad_out_6:
440 state_store6
441 FRAME_END
442 ret
443
444.Lad_out_7:
445 state_store7
446 FRAME_END
447 ret
448
449.Lad_out:
450 FRAME_END
451 ret
452ENDPROC(crypto_aegis128l_aesni_ad)
453
454.macro crypt m0 m1 s0 s1 s2 s3 s4 s5 s6 s7
455 pxor \s1, \m0
456 pxor \s6, \m0
457 movdqa \s2, T3
458 pand \s3, T3
459 pxor T3, \m0
460
461 pxor \s2, \m1
462 pxor \s5, \m1
463 movdqa \s6, T3
464 pand \s7, T3
465 pxor T3, \m1
466.endm
467
468.macro crypt0 m0 m1
469 crypt \m0 \m1 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7
470.endm
471
472.macro crypt1 m0 m1
473 crypt \m0 \m1 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6
474.endm
475
476.macro crypt2 m0 m1
477 crypt \m0 \m1 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
478.endm
479
480.macro crypt3 m0 m1
481 crypt \m0 \m1 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4
482.endm
483
484.macro crypt4 m0 m1
485 crypt \m0 \m1 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3
486.endm
487
488.macro crypt5 m0 m1
489 crypt \m0 \m1 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2
490.endm
491
492.macro crypt6 m0 m1
493 crypt \m0 \m1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1
494.endm
495
496.macro crypt7 m0 m1
497 crypt \m0 \m1 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0
498.endm
499
500.macro encrypt_block a i
501 movdq\a (\i * 0x20 + 0x00)(SRC), MSG0
502 movdq\a (\i * 0x20 + 0x10)(SRC), MSG1
503 movdqa MSG0, T0
504 movdqa MSG1, T1
505 crypt\i T0, T1
506 movdq\a T0, (\i * 0x20 + 0x00)(DST)
507 movdq\a T1, (\i * 0x20 + 0x10)(DST)
508
509 update\i
510
511 sub $0x20, LEN
512 cmp $0x20, LEN
513 jl .Lenc_out_\i
514.endm
515
516.macro decrypt_block a i
517 movdq\a (\i * 0x20 + 0x00)(SRC), MSG0
518 movdq\a (\i * 0x20 + 0x10)(SRC), MSG1
519 crypt\i MSG0, MSG1
520 movdq\a MSG0, (\i * 0x20 + 0x00)(DST)
521 movdq\a MSG1, (\i * 0x20 + 0x10)(DST)
522
523 update\i
524
525 sub $0x20, LEN
526 cmp $0x20, LEN
527 jl .Ldec_out_\i
528.endm
529
530/*
531 * void crypto_aegis128l_aesni_enc(void *state, unsigned int length,
532 * const void *src, void *dst);
533 */
534ENTRY(crypto_aegis128l_aesni_enc)
535 FRAME_BEGIN
536
537 cmp $0x20, LEN
538 jb .Lenc_out
539
540 state_load
541
542 mov SRC, %r8
543 or DST, %r8
544 and $0xf, %r8
545 jnz .Lenc_u_loop
546
547.align 8
548.Lenc_a_loop:
549 encrypt_block a 0
550 encrypt_block a 1
551 encrypt_block a 2
552 encrypt_block a 3
553 encrypt_block a 4
554 encrypt_block a 5
555 encrypt_block a 6
556 encrypt_block a 7
557
558 add $0x100, SRC
559 add $0x100, DST
560 jmp .Lenc_a_loop
561
562.align 8
563.Lenc_u_loop:
564 encrypt_block u 0
565 encrypt_block u 1
566 encrypt_block u 2
567 encrypt_block u 3
568 encrypt_block u 4
569 encrypt_block u 5
570 encrypt_block u 6
571 encrypt_block u 7
572
573 add $0x100, SRC
574 add $0x100, DST
575 jmp .Lenc_u_loop
576
577.Lenc_out_0:
578 state_store0
579 FRAME_END
580 ret
581
582.Lenc_out_1:
583 state_store1
584 FRAME_END
585 ret
586
587.Lenc_out_2:
588 state_store2
589 FRAME_END
590 ret
591
592.Lenc_out_3:
593 state_store3
594 FRAME_END
595 ret
596
597.Lenc_out_4:
598 state_store4
599 FRAME_END
600 ret
601
602.Lenc_out_5:
603 state_store5
604 FRAME_END
605 ret
606
607.Lenc_out_6:
608 state_store6
609 FRAME_END
610 ret
611
612.Lenc_out_7:
613 state_store7
614 FRAME_END
615 ret
616
617.Lenc_out:
618 FRAME_END
619 ret
620ENDPROC(crypto_aegis128l_aesni_enc)
621
622/*
623 * void crypto_aegis128l_aesni_enc_tail(void *state, unsigned int length,
624 * const void *src, void *dst);
625 */
626ENTRY(crypto_aegis128l_aesni_enc_tail)
627 FRAME_BEGIN
628
629 state_load
630
631 /* encrypt message: */
632 call __load_partial
633
634 movdqa MSG0, T0
635 movdqa MSG1, T1
636 crypt0 T0, T1
637
638 call __store_partial
639
640 update0
641
642 state_store0
643
644 FRAME_END
645 ret
646ENDPROC(crypto_aegis128l_aesni_enc_tail)
647
648/*
649 * void crypto_aegis128l_aesni_dec(void *state, unsigned int length,
650 * const void *src, void *dst);
651 */
652ENTRY(crypto_aegis128l_aesni_dec)
653 FRAME_BEGIN
654
655 cmp $0x20, LEN
656 jb .Ldec_out
657
658 state_load
659
660 mov SRC, %r8
661 or DST, %r8
662 and $0xF, %r8
663 jnz .Ldec_u_loop
664
665.align 8
666.Ldec_a_loop:
667 decrypt_block a 0
668 decrypt_block a 1
669 decrypt_block a 2
670 decrypt_block a 3
671 decrypt_block a 4
672 decrypt_block a 5
673 decrypt_block a 6
674 decrypt_block a 7
675
676 add $0x100, SRC
677 add $0x100, DST
678 jmp .Ldec_a_loop
679
680.align 8
681.Ldec_u_loop:
682 decrypt_block u 0
683 decrypt_block u 1
684 decrypt_block u 2
685 decrypt_block u 3
686 decrypt_block u 4
687 decrypt_block u 5
688 decrypt_block u 6
689 decrypt_block u 7
690
691 add $0x100, SRC
692 add $0x100, DST
693 jmp .Ldec_u_loop
694
695.Ldec_out_0:
696 state_store0
697 FRAME_END
698 ret
699
700.Ldec_out_1:
701 state_store1
702 FRAME_END
703 ret
704
705.Ldec_out_2:
706 state_store2
707 FRAME_END
708 ret
709
710.Ldec_out_3:
711 state_store3
712 FRAME_END
713 ret
714
715.Ldec_out_4:
716 state_store4
717 FRAME_END
718 ret
719
720.Ldec_out_5:
721 state_store5
722 FRAME_END
723 ret
724
725.Ldec_out_6:
726 state_store6
727 FRAME_END
728 ret
729
730.Ldec_out_7:
731 state_store7
732 FRAME_END
733 ret
734
735.Ldec_out:
736 FRAME_END
737 ret
738ENDPROC(crypto_aegis128l_aesni_dec)
739
740/*
741 * void crypto_aegis128l_aesni_dec_tail(void *state, unsigned int length,
742 * const void *src, void *dst);
743 */
744ENTRY(crypto_aegis128l_aesni_dec_tail)
745 FRAME_BEGIN
746
747 state_load
748
749 /* decrypt message: */
750 call __load_partial
751
752 crypt0 MSG0, MSG1
753
754 movdqa MSG0, T0
755 movdqa MSG1, T1
756 call __store_partial
757
758 /* mask with byte count: */
759 movq LEN, T0
760 punpcklbw T0, T0
761 punpcklbw T0, T0
762 punpcklbw T0, T0
763 punpcklbw T0, T0
764 movdqa T0, T1
765 movdqa .Laegis128l_counter0, T2
766 movdqa .Laegis128l_counter1, T3
767 pcmpgtb T2, T0
768 pcmpgtb T3, T1
769 pand T0, MSG0
770 pand T1, MSG1
771
772 update0
773
774 state_store0
775
776 FRAME_END
777 ret
778ENDPROC(crypto_aegis128l_aesni_dec_tail)
779
780/*
781 * void crypto_aegis128l_aesni_final(void *state, void *tag_xor,
782 * u64 assoclen, u64 cryptlen);
783 */
784ENTRY(crypto_aegis128l_aesni_final)
785 FRAME_BEGIN
786
787 state_load
788
789 /* prepare length block: */
790 movq %rdx, MSG0
791 movq %rcx, T0
792 pslldq $8, T0
793 pxor T0, MSG0
794 psllq $3, MSG0 /* multiply by 8 (to get bit count) */
795
796 pxor STATE2, MSG0
797 movdqa MSG0, MSG1
798
799 /* update state: */
800 update0
801 update1
802 update2
803 update3
804 update4
805 update5
806 update6
807
808 /* xor tag: */
809 movdqu (%rsi), T0
810
811 pxor STATE1, T0
812 pxor STATE2, T0
813 pxor STATE3, T0
814 pxor STATE4, T0
815 pxor STATE5, T0
816 pxor STATE6, T0
817 pxor STATE7, T0
818
819 movdqu T0, (%rsi)
820
821 FRAME_END
822 ret
823ENDPROC(crypto_aegis128l_aesni_final)
diff --git a/arch/x86/crypto/aegis128l-aesni-glue.c b/arch/x86/crypto/aegis128l-aesni-glue.c
deleted file mode 100644
index 19eb28b316f0..000000000000
--- a/arch/x86/crypto/aegis128l-aesni-glue.c
+++ /dev/null
@@ -1,293 +0,0 @@
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * The AEGIS-128L Authenticated-Encryption Algorithm
4 * Glue for AES-NI + SSE2 implementation
5 *
6 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
7 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
8 */
9
10#include <crypto/internal/aead.h>
11#include <crypto/internal/simd.h>
12#include <crypto/internal/skcipher.h>
13#include <crypto/scatterwalk.h>
14#include <linux/module.h>
15#include <asm/fpu/api.h>
16#include <asm/cpu_device_id.h>
17
18#define AEGIS128L_BLOCK_ALIGN 16
19#define AEGIS128L_BLOCK_SIZE 32
20#define AEGIS128L_NONCE_SIZE 16
21#define AEGIS128L_STATE_BLOCKS 8
22#define AEGIS128L_KEY_SIZE 16
23#define AEGIS128L_MIN_AUTH_SIZE 8
24#define AEGIS128L_MAX_AUTH_SIZE 16
25
26asmlinkage void crypto_aegis128l_aesni_init(void *state, void *key, void *iv);
27
28asmlinkage void crypto_aegis128l_aesni_ad(
29 void *state, unsigned int length, const void *data);
30
31asmlinkage void crypto_aegis128l_aesni_enc(
32 void *state, unsigned int length, const void *src, void *dst);
33
34asmlinkage void crypto_aegis128l_aesni_dec(
35 void *state, unsigned int length, const void *src, void *dst);
36
37asmlinkage void crypto_aegis128l_aesni_enc_tail(
38 void *state, unsigned int length, const void *src, void *dst);
39
40asmlinkage void crypto_aegis128l_aesni_dec_tail(
41 void *state, unsigned int length, const void *src, void *dst);
42
43asmlinkage void crypto_aegis128l_aesni_final(
44 void *state, void *tag_xor, unsigned int cryptlen,
45 unsigned int assoclen);
46
47struct aegis_block {
48 u8 bytes[AEGIS128L_BLOCK_SIZE] __aligned(AEGIS128L_BLOCK_ALIGN);
49};
50
51struct aegis_state {
52 struct aegis_block blocks[AEGIS128L_STATE_BLOCKS];
53};
54
55struct aegis_ctx {
56 struct aegis_block key;
57};
58
59struct aegis_crypt_ops {
60 int (*skcipher_walk_init)(struct skcipher_walk *walk,
61 struct aead_request *req, bool atomic);
62
63 void (*crypt_blocks)(void *state, unsigned int length, const void *src,
64 void *dst);
65 void (*crypt_tail)(void *state, unsigned int length, const void *src,
66 void *dst);
67};
68
69static void crypto_aegis128l_aesni_process_ad(
70 struct aegis_state *state, struct scatterlist *sg_src,
71 unsigned int assoclen)
72{
73 struct scatter_walk walk;
74 struct aegis_block buf;
75 unsigned int pos = 0;
76
77 scatterwalk_start(&walk, sg_src);
78 while (assoclen != 0) {
79 unsigned int size = scatterwalk_clamp(&walk, assoclen);
80 unsigned int left = size;
81 void *mapped = scatterwalk_map(&walk);
82 const u8 *src = (const u8 *)mapped;
83
84 if (pos + size >= AEGIS128L_BLOCK_SIZE) {
85 if (pos > 0) {
86 unsigned int fill = AEGIS128L_BLOCK_SIZE - pos;
87 memcpy(buf.bytes + pos, src, fill);
88 crypto_aegis128l_aesni_ad(state,
89 AEGIS128L_BLOCK_SIZE,
90 buf.bytes);
91 pos = 0;
92 left -= fill;
93 src += fill;
94 }
95
96 crypto_aegis128l_aesni_ad(state, left, src);
97
98 src += left & ~(AEGIS128L_BLOCK_SIZE - 1);
99 left &= AEGIS128L_BLOCK_SIZE - 1;
100 }
101
102 memcpy(buf.bytes + pos, src, left);
103 pos += left;
104 assoclen -= size;
105
106 scatterwalk_unmap(mapped);
107 scatterwalk_advance(&walk, size);
108 scatterwalk_done(&walk, 0, assoclen);
109 }
110
111 if (pos > 0) {
112 memset(buf.bytes + pos, 0, AEGIS128L_BLOCK_SIZE - pos);
113 crypto_aegis128l_aesni_ad(state, AEGIS128L_BLOCK_SIZE, buf.bytes);
114 }
115}
116
117static void crypto_aegis128l_aesni_process_crypt(
118 struct aegis_state *state, struct skcipher_walk *walk,
119 const struct aegis_crypt_ops *ops)
120{
121 while (walk->nbytes >= AEGIS128L_BLOCK_SIZE) {
122 ops->crypt_blocks(state, round_down(walk->nbytes,
123 AEGIS128L_BLOCK_SIZE),
124 walk->src.virt.addr, walk->dst.virt.addr);
125 skcipher_walk_done(walk, walk->nbytes % AEGIS128L_BLOCK_SIZE);
126 }
127
128 if (walk->nbytes) {
129 ops->crypt_tail(state, walk->nbytes, walk->src.virt.addr,
130 walk->dst.virt.addr);
131 skcipher_walk_done(walk, 0);
132 }
133}
134
135static struct aegis_ctx *crypto_aegis128l_aesni_ctx(struct crypto_aead *aead)
136{
137 u8 *ctx = crypto_aead_ctx(aead);
138 ctx = PTR_ALIGN(ctx, __alignof__(struct aegis_ctx));
139 return (void *)ctx;
140}
141
142static int crypto_aegis128l_aesni_setkey(struct crypto_aead *aead,
143 const u8 *key, unsigned int keylen)
144{
145 struct aegis_ctx *ctx = crypto_aegis128l_aesni_ctx(aead);
146
147 if (keylen != AEGIS128L_KEY_SIZE) {
148 crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
149 return -EINVAL;
150 }
151
152 memcpy(ctx->key.bytes, key, AEGIS128L_KEY_SIZE);
153
154 return 0;
155}
156
157static int crypto_aegis128l_aesni_setauthsize(struct crypto_aead *tfm,
158 unsigned int authsize)
159{
160 if (authsize > AEGIS128L_MAX_AUTH_SIZE)
161 return -EINVAL;
162 if (authsize < AEGIS128L_MIN_AUTH_SIZE)
163 return -EINVAL;
164 return 0;
165}
166
167static void crypto_aegis128l_aesni_crypt(struct aead_request *req,
168 struct aegis_block *tag_xor,
169 unsigned int cryptlen,
170 const struct aegis_crypt_ops *ops)
171{
172 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
173 struct aegis_ctx *ctx = crypto_aegis128l_aesni_ctx(tfm);
174 struct skcipher_walk walk;
175 struct aegis_state state;
176
177 ops->skcipher_walk_init(&walk, req, true);
178
179 kernel_fpu_begin();
180
181 crypto_aegis128l_aesni_init(&state, ctx->key.bytes, req->iv);
182 crypto_aegis128l_aesni_process_ad(&state, req->src, req->assoclen);
183 crypto_aegis128l_aesni_process_crypt(&state, &walk, ops);
184 crypto_aegis128l_aesni_final(&state, tag_xor, req->assoclen, cryptlen);
185
186 kernel_fpu_end();
187}
188
189static int crypto_aegis128l_aesni_encrypt(struct aead_request *req)
190{
191 static const struct aegis_crypt_ops OPS = {
192 .skcipher_walk_init = skcipher_walk_aead_encrypt,
193 .crypt_blocks = crypto_aegis128l_aesni_enc,
194 .crypt_tail = crypto_aegis128l_aesni_enc_tail,
195 };
196
197 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
198 struct aegis_block tag = {};
199 unsigned int authsize = crypto_aead_authsize(tfm);
200 unsigned int cryptlen = req->cryptlen;
201
202 crypto_aegis128l_aesni_crypt(req, &tag, cryptlen, &OPS);
203
204 scatterwalk_map_and_copy(tag.bytes, req->dst,
205 req->assoclen + cryptlen, authsize, 1);
206 return 0;
207}
208
209static int crypto_aegis128l_aesni_decrypt(struct aead_request *req)
210{
211 static const struct aegis_block zeros = {};
212
213 static const struct aegis_crypt_ops OPS = {
214 .skcipher_walk_init = skcipher_walk_aead_decrypt,
215 .crypt_blocks = crypto_aegis128l_aesni_dec,
216 .crypt_tail = crypto_aegis128l_aesni_dec_tail,
217 };
218
219 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
220 struct aegis_block tag;
221 unsigned int authsize = crypto_aead_authsize(tfm);
222 unsigned int cryptlen = req->cryptlen - authsize;
223
224 scatterwalk_map_and_copy(tag.bytes, req->src,
225 req->assoclen + cryptlen, authsize, 0);
226
227 crypto_aegis128l_aesni_crypt(req, &tag, cryptlen, &OPS);
228
229 return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0;
230}
231
232static int crypto_aegis128l_aesni_init_tfm(struct crypto_aead *aead)
233{
234 return 0;
235}
236
237static void crypto_aegis128l_aesni_exit_tfm(struct crypto_aead *aead)
238{
239}
240
241static struct aead_alg crypto_aegis128l_aesni_alg = {
242 .setkey = crypto_aegis128l_aesni_setkey,
243 .setauthsize = crypto_aegis128l_aesni_setauthsize,
244 .encrypt = crypto_aegis128l_aesni_encrypt,
245 .decrypt = crypto_aegis128l_aesni_decrypt,
246 .init = crypto_aegis128l_aesni_init_tfm,
247 .exit = crypto_aegis128l_aesni_exit_tfm,
248
249 .ivsize = AEGIS128L_NONCE_SIZE,
250 .maxauthsize = AEGIS128L_MAX_AUTH_SIZE,
251 .chunksize = AEGIS128L_BLOCK_SIZE,
252
253 .base = {
254 .cra_flags = CRYPTO_ALG_INTERNAL,
255 .cra_blocksize = 1,
256 .cra_ctxsize = sizeof(struct aegis_ctx) +
257 __alignof__(struct aegis_ctx),
258 .cra_alignmask = 0,
259 .cra_priority = 400,
260
261 .cra_name = "__aegis128l",
262 .cra_driver_name = "__aegis128l-aesni",
263
264 .cra_module = THIS_MODULE,
265 }
266};
267
268static struct simd_aead_alg *simd_alg;
269
270static int __init crypto_aegis128l_aesni_module_init(void)
271{
272 if (!boot_cpu_has(X86_FEATURE_XMM2) ||
273 !boot_cpu_has(X86_FEATURE_AES) ||
274 !cpu_has_xfeatures(XFEATURE_MASK_SSE, NULL))
275 return -ENODEV;
276
277 return simd_register_aeads_compat(&crypto_aegis128l_aesni_alg, 1,
278 &simd_alg);
279}
280
281static void __exit crypto_aegis128l_aesni_module_exit(void)
282{
283 simd_unregister_aeads(&crypto_aegis128l_aesni_alg, 1, &simd_alg);
284}
285
286module_init(crypto_aegis128l_aesni_module_init);
287module_exit(crypto_aegis128l_aesni_module_exit);
288
289MODULE_LICENSE("GPL");
290MODULE_AUTHOR("Ondrej Mosnacek <omosnacek@gmail.com>");
291MODULE_DESCRIPTION("AEGIS-128L AEAD algorithm -- AESNI+SSE2 implementation");
292MODULE_ALIAS_CRYPTO("aegis128l");
293MODULE_ALIAS_CRYPTO("aegis128l-aesni");
diff --git a/arch/x86/crypto/aegis256-aesni-asm.S b/arch/x86/crypto/aegis256-aesni-asm.S
deleted file mode 100644
index 37d9b13dfd85..000000000000
--- a/arch/x86/crypto/aegis256-aesni-asm.S
+++ /dev/null
@@ -1,700 +0,0 @@
1/* SPDX-License-Identifier: GPL-2.0-only */
2/*
3 * AES-NI + SSE2 implementation of AEGIS-128L
4 *
5 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
6 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
7 */
8
9#include <linux/linkage.h>
10#include <asm/frame.h>
11
12#define STATE0 %xmm0
13#define STATE1 %xmm1
14#define STATE2 %xmm2
15#define STATE3 %xmm3
16#define STATE4 %xmm4
17#define STATE5 %xmm5
18#define MSG %xmm6
19#define T0 %xmm7
20#define T1 %xmm8
21#define T2 %xmm9
22#define T3 %xmm10
23
24#define STATEP %rdi
25#define LEN %rsi
26#define SRC %rdx
27#define DST %rcx
28
29.section .rodata.cst16.aegis256_const, "aM", @progbits, 32
30.align 16
31.Laegis256_const_0:
32 .byte 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d
33 .byte 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62
34.Laegis256_const_1:
35 .byte 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1
36 .byte 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd
37
38.section .rodata.cst16.aegis256_counter, "aM", @progbits, 16
39.align 16
40.Laegis256_counter:
41 .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
42 .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
43
44.text
45
46/*
47 * __load_partial: internal ABI
48 * input:
49 * LEN - bytes
50 * SRC - src
51 * output:
52 * MSG - message block
53 * changed:
54 * T0
55 * %r8
56 * %r9
57 */
58__load_partial:
59 xor %r9d, %r9d
60 pxor MSG, MSG
61
62 mov LEN, %r8
63 and $0x1, %r8
64 jz .Lld_partial_1
65
66 mov LEN, %r8
67 and $0x1E, %r8
68 add SRC, %r8
69 mov (%r8), %r9b
70
71.Lld_partial_1:
72 mov LEN, %r8
73 and $0x2, %r8
74 jz .Lld_partial_2
75
76 mov LEN, %r8
77 and $0x1C, %r8
78 add SRC, %r8
79 shl $0x10, %r9
80 mov (%r8), %r9w
81
82.Lld_partial_2:
83 mov LEN, %r8
84 and $0x4, %r8
85 jz .Lld_partial_4
86
87 mov LEN, %r8
88 and $0x18, %r8
89 add SRC, %r8
90 shl $32, %r9
91 mov (%r8), %r8d
92 xor %r8, %r9
93
94.Lld_partial_4:
95 movq %r9, MSG
96
97 mov LEN, %r8
98 and $0x8, %r8
99 jz .Lld_partial_8
100
101 mov LEN, %r8
102 and $0x10, %r8
103 add SRC, %r8
104 pslldq $8, MSG
105 movq (%r8), T0
106 pxor T0, MSG
107
108.Lld_partial_8:
109 ret
110ENDPROC(__load_partial)
111
112/*
113 * __store_partial: internal ABI
114 * input:
115 * LEN - bytes
116 * DST - dst
117 * output:
118 * T0 - message block
119 * changed:
120 * %r8
121 * %r9
122 * %r10
123 */
124__store_partial:
125 mov LEN, %r8
126 mov DST, %r9
127
128 movq T0, %r10
129
130 cmp $8, %r8
131 jl .Lst_partial_8
132
133 mov %r10, (%r9)
134 psrldq $8, T0
135 movq T0, %r10
136
137 sub $8, %r8
138 add $8, %r9
139
140.Lst_partial_8:
141 cmp $4, %r8
142 jl .Lst_partial_4
143
144 mov %r10d, (%r9)
145 shr $32, %r10
146
147 sub $4, %r8
148 add $4, %r9
149
150.Lst_partial_4:
151 cmp $2, %r8
152 jl .Lst_partial_2
153
154 mov %r10w, (%r9)
155 shr $0x10, %r10
156
157 sub $2, %r8
158 add $2, %r9
159
160.Lst_partial_2:
161 cmp $1, %r8
162 jl .Lst_partial_1
163
164 mov %r10b, (%r9)
165
166.Lst_partial_1:
167 ret
168ENDPROC(__store_partial)
169
170.macro update
171 movdqa STATE5, T0
172 aesenc STATE0, STATE5
173 aesenc STATE1, STATE0
174 aesenc STATE2, STATE1
175 aesenc STATE3, STATE2
176 aesenc STATE4, STATE3
177 aesenc T0, STATE4
178.endm
179
180.macro update0 m
181 update
182 pxor \m, STATE5
183.endm
184
185.macro update1 m
186 update
187 pxor \m, STATE4
188.endm
189
190.macro update2 m
191 update
192 pxor \m, STATE3
193.endm
194
195.macro update3 m
196 update
197 pxor \m, STATE2
198.endm
199
200.macro update4 m
201 update
202 pxor \m, STATE1
203.endm
204
205.macro update5 m
206 update
207 pxor \m, STATE0
208.endm
209
210.macro state_load
211 movdqu 0x00(STATEP), STATE0
212 movdqu 0x10(STATEP), STATE1
213 movdqu 0x20(STATEP), STATE2
214 movdqu 0x30(STATEP), STATE3
215 movdqu 0x40(STATEP), STATE4
216 movdqu 0x50(STATEP), STATE5
217.endm
218
219.macro state_store s0 s1 s2 s3 s4 s5
220 movdqu \s5, 0x00(STATEP)
221 movdqu \s0, 0x10(STATEP)
222 movdqu \s1, 0x20(STATEP)
223 movdqu \s2, 0x30(STATEP)
224 movdqu \s3, 0x40(STATEP)
225 movdqu \s4, 0x50(STATEP)
226.endm
227
228.macro state_store0
229 state_store STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
230.endm
231
232.macro state_store1
233 state_store STATE5 STATE0 STATE1 STATE2 STATE3 STATE4
234.endm
235
236.macro state_store2
237 state_store STATE4 STATE5 STATE0 STATE1 STATE2 STATE3
238.endm
239
240.macro state_store3
241 state_store STATE3 STATE4 STATE5 STATE0 STATE1 STATE2
242.endm
243
244.macro state_store4
245 state_store STATE2 STATE3 STATE4 STATE5 STATE0 STATE1
246.endm
247
248.macro state_store5
249 state_store STATE1 STATE2 STATE3 STATE4 STATE5 STATE0
250.endm
251
252/*
253 * void crypto_aegis256_aesni_init(void *state, const void *key, const void *iv);
254 */
255ENTRY(crypto_aegis256_aesni_init)
256 FRAME_BEGIN
257
258 /* load key: */
259 movdqa 0x00(%rsi), MSG
260 movdqa 0x10(%rsi), T1
261 movdqa MSG, STATE4
262 movdqa T1, STATE5
263
264 /* load IV: */
265 movdqu 0x00(%rdx), T2
266 movdqu 0x10(%rdx), T3
267 pxor MSG, T2
268 pxor T1, T3
269 movdqa T2, STATE0
270 movdqa T3, STATE1
271
272 /* load the constants: */
273 movdqa .Laegis256_const_0, STATE3
274 movdqa .Laegis256_const_1, STATE2
275 pxor STATE3, STATE4
276 pxor STATE2, STATE5
277
278 /* update 10 times with IV and KEY: */
279 update0 MSG
280 update1 T1
281 update2 T2
282 update3 T3
283 update4 MSG
284 update5 T1
285 update0 T2
286 update1 T3
287 update2 MSG
288 update3 T1
289 update4 T2
290 update5 T3
291 update0 MSG
292 update1 T1
293 update2 T2
294 update3 T3
295
296 state_store3
297
298 FRAME_END
299 ret
300ENDPROC(crypto_aegis256_aesni_init)
301
302.macro ad_block a i
303 movdq\a (\i * 0x10)(SRC), MSG
304 update\i MSG
305 sub $0x10, LEN
306 cmp $0x10, LEN
307 jl .Lad_out_\i
308.endm
309
310/*
311 * void crypto_aegis256_aesni_ad(void *state, unsigned int length,
312 * const void *data);
313 */
314ENTRY(crypto_aegis256_aesni_ad)
315 FRAME_BEGIN
316
317 cmp $0x10, LEN
318 jb .Lad_out
319
320 state_load
321
322 mov SRC, %r8
323 and $0xf, %r8
324 jnz .Lad_u_loop
325
326.align 8
327.Lad_a_loop:
328 ad_block a 0
329 ad_block a 1
330 ad_block a 2
331 ad_block a 3
332 ad_block a 4
333 ad_block a 5
334
335 add $0x60, SRC
336 jmp .Lad_a_loop
337
338.align 8
339.Lad_u_loop:
340 ad_block u 0
341 ad_block u 1
342 ad_block u 2
343 ad_block u 3
344 ad_block u 4
345 ad_block u 5
346
347 add $0x60, SRC
348 jmp .Lad_u_loop
349
350.Lad_out_0:
351 state_store0
352 FRAME_END
353 ret
354
355.Lad_out_1:
356 state_store1
357 FRAME_END
358 ret
359
360.Lad_out_2:
361 state_store2
362 FRAME_END
363 ret
364
365.Lad_out_3:
366 state_store3
367 FRAME_END
368 ret
369
370.Lad_out_4:
371 state_store4
372 FRAME_END
373 ret
374
375.Lad_out_5:
376 state_store5
377 FRAME_END
378 ret
379
380.Lad_out:
381 FRAME_END
382 ret
383ENDPROC(crypto_aegis256_aesni_ad)
384
385.macro crypt m s0 s1 s2 s3 s4 s5
386 pxor \s1, \m
387 pxor \s4, \m
388 pxor \s5, \m
389 movdqa \s2, T3
390 pand \s3, T3
391 pxor T3, \m
392.endm
393
394.macro crypt0 m
395 crypt \m STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
396.endm
397
398.macro crypt1 m
399 crypt \m STATE5 STATE0 STATE1 STATE2 STATE3 STATE4
400.endm
401
402.macro crypt2 m
403 crypt \m STATE4 STATE5 STATE0 STATE1 STATE2 STATE3
404.endm
405
406.macro crypt3 m
407 crypt \m STATE3 STATE4 STATE5 STATE0 STATE1 STATE2
408.endm
409
410.macro crypt4 m
411 crypt \m STATE2 STATE3 STATE4 STATE5 STATE0 STATE1
412.endm
413
414.macro crypt5 m
415 crypt \m STATE1 STATE2 STATE3 STATE4 STATE5 STATE0
416.endm
417
418.macro encrypt_block a i
419 movdq\a (\i * 0x10)(SRC), MSG
420 movdqa MSG, T0
421 crypt\i T0
422 movdq\a T0, (\i * 0x10)(DST)
423
424 update\i MSG
425
426 sub $0x10, LEN
427 cmp $0x10, LEN
428 jl .Lenc_out_\i
429.endm
430
431.macro decrypt_block a i
432 movdq\a (\i * 0x10)(SRC), MSG
433 crypt\i MSG
434 movdq\a MSG, (\i * 0x10)(DST)
435
436 update\i MSG
437
438 sub $0x10, LEN
439 cmp $0x10, LEN
440 jl .Ldec_out_\i
441.endm
442
443/*
444 * void crypto_aegis256_aesni_enc(void *state, unsigned int length,
445 * const void *src, void *dst);
446 */
447ENTRY(crypto_aegis256_aesni_enc)
448 FRAME_BEGIN
449
450 cmp $0x10, LEN
451 jb .Lenc_out
452
453 state_load
454
455 mov SRC, %r8
456 or DST, %r8
457 and $0xf, %r8
458 jnz .Lenc_u_loop
459
460.align 8
461.Lenc_a_loop:
462 encrypt_block a 0
463 encrypt_block a 1
464 encrypt_block a 2
465 encrypt_block a 3
466 encrypt_block a 4
467 encrypt_block a 5
468
469 add $0x60, SRC
470 add $0x60, DST
471 jmp .Lenc_a_loop
472
473.align 8
474.Lenc_u_loop:
475 encrypt_block u 0
476 encrypt_block u 1
477 encrypt_block u 2
478 encrypt_block u 3
479 encrypt_block u 4
480 encrypt_block u 5
481
482 add $0x60, SRC
483 add $0x60, DST
484 jmp .Lenc_u_loop
485
486.Lenc_out_0:
487 state_store0
488 FRAME_END
489 ret
490
491.Lenc_out_1:
492 state_store1
493 FRAME_END
494 ret
495
496.Lenc_out_2:
497 state_store2
498 FRAME_END
499 ret
500
501.Lenc_out_3:
502 state_store3
503 FRAME_END
504 ret
505
506.Lenc_out_4:
507 state_store4
508 FRAME_END
509 ret
510
511.Lenc_out_5:
512 state_store5
513 FRAME_END
514 ret
515
516.Lenc_out:
517 FRAME_END
518 ret
519ENDPROC(crypto_aegis256_aesni_enc)
520
521/*
522 * void crypto_aegis256_aesni_enc_tail(void *state, unsigned int length,
523 * const void *src, void *dst);
524 */
525ENTRY(crypto_aegis256_aesni_enc_tail)
526 FRAME_BEGIN
527
528 state_load
529
530 /* encrypt message: */
531 call __load_partial
532
533 movdqa MSG, T0
534 crypt0 T0
535
536 call __store_partial
537
538 update0 MSG
539
540 state_store0
541
542 FRAME_END
543 ret
544ENDPROC(crypto_aegis256_aesni_enc_tail)
545
546/*
547 * void crypto_aegis256_aesni_dec(void *state, unsigned int length,
548 * const void *src, void *dst);
549 */
550ENTRY(crypto_aegis256_aesni_dec)
551 FRAME_BEGIN
552
553 cmp $0x10, LEN
554 jb .Ldec_out
555
556 state_load
557
558 mov SRC, %r8
559 or DST, %r8
560 and $0xF, %r8
561 jnz .Ldec_u_loop
562
563.align 8
564.Ldec_a_loop:
565 decrypt_block a 0
566 decrypt_block a 1
567 decrypt_block a 2
568 decrypt_block a 3
569 decrypt_block a 4
570 decrypt_block a 5
571
572 add $0x60, SRC
573 add $0x60, DST
574 jmp .Ldec_a_loop
575
576.align 8
577.Ldec_u_loop:
578 decrypt_block u 0
579 decrypt_block u 1
580 decrypt_block u 2
581 decrypt_block u 3
582 decrypt_block u 4
583 decrypt_block u 5
584
585 add $0x60, SRC
586 add $0x60, DST
587 jmp .Ldec_u_loop
588
589.Ldec_out_0:
590 state_store0
591 FRAME_END
592 ret
593
594.Ldec_out_1:
595 state_store1
596 FRAME_END
597 ret
598
599.Ldec_out_2:
600 state_store2
601 FRAME_END
602 ret
603
604.Ldec_out_3:
605 state_store3
606 FRAME_END
607 ret
608
609.Ldec_out_4:
610 state_store4
611 FRAME_END
612 ret
613
614.Ldec_out_5:
615 state_store5
616 FRAME_END
617 ret
618
619.Ldec_out:
620 FRAME_END
621 ret
622ENDPROC(crypto_aegis256_aesni_dec)
623
624/*
625 * void crypto_aegis256_aesni_dec_tail(void *state, unsigned int length,
626 * const void *src, void *dst);
627 */
628ENTRY(crypto_aegis256_aesni_dec_tail)
629 FRAME_BEGIN
630
631 state_load
632
633 /* decrypt message: */
634 call __load_partial
635
636 crypt0 MSG
637
638 movdqa MSG, T0
639 call __store_partial
640
641 /* mask with byte count: */
642 movq LEN, T0
643 punpcklbw T0, T0
644 punpcklbw T0, T0
645 punpcklbw T0, T0
646 punpcklbw T0, T0
647 movdqa .Laegis256_counter, T1
648 pcmpgtb T1, T0
649 pand T0, MSG
650
651 update0 MSG
652
653 state_store0
654
655 FRAME_END
656 ret
657ENDPROC(crypto_aegis256_aesni_dec_tail)
658
659/*
660 * void crypto_aegis256_aesni_final(void *state, void *tag_xor,
661 * u64 assoclen, u64 cryptlen);
662 */
663ENTRY(crypto_aegis256_aesni_final)
664 FRAME_BEGIN
665
666 state_load
667
668 /* prepare length block: */
669 movq %rdx, MSG
670 movq %rcx, T0
671 pslldq $8, T0
672 pxor T0, MSG
673 psllq $3, MSG /* multiply by 8 (to get bit count) */
674
675 pxor STATE3, MSG
676
677 /* update state: */
678 update0 MSG
679 update1 MSG
680 update2 MSG
681 update3 MSG
682 update4 MSG
683 update5 MSG
684 update0 MSG
685
686 /* xor tag: */
687 movdqu (%rsi), MSG
688
689 pxor STATE0, MSG
690 pxor STATE1, MSG
691 pxor STATE2, MSG
692 pxor STATE3, MSG
693 pxor STATE4, MSG
694 pxor STATE5, MSG
695
696 movdqu MSG, (%rsi)
697
698 FRAME_END
699 ret
700ENDPROC(crypto_aegis256_aesni_final)
diff --git a/arch/x86/crypto/aegis256-aesni-glue.c b/arch/x86/crypto/aegis256-aesni-glue.c
deleted file mode 100644
index f84da27171d3..000000000000
--- a/arch/x86/crypto/aegis256-aesni-glue.c
+++ /dev/null
@@ -1,293 +0,0 @@
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * The AEGIS-256 Authenticated-Encryption Algorithm
4 * Glue for AES-NI + SSE2 implementation
5 *
6 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
7 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
8 */
9
10#include <crypto/internal/aead.h>
11#include <crypto/internal/simd.h>
12#include <crypto/internal/skcipher.h>
13#include <crypto/scatterwalk.h>
14#include <linux/module.h>
15#include <asm/fpu/api.h>
16#include <asm/cpu_device_id.h>
17
18#define AEGIS256_BLOCK_ALIGN 16
19#define AEGIS256_BLOCK_SIZE 16
20#define AEGIS256_NONCE_SIZE 32
21#define AEGIS256_STATE_BLOCKS 6
22#define AEGIS256_KEY_SIZE 32
23#define AEGIS256_MIN_AUTH_SIZE 8
24#define AEGIS256_MAX_AUTH_SIZE 16
25
26asmlinkage void crypto_aegis256_aesni_init(void *state, void *key, void *iv);
27
28asmlinkage void crypto_aegis256_aesni_ad(
29 void *state, unsigned int length, const void *data);
30
31asmlinkage void crypto_aegis256_aesni_enc(
32 void *state, unsigned int length, const void *src, void *dst);
33
34asmlinkage void crypto_aegis256_aesni_dec(
35 void *state, unsigned int length, const void *src, void *dst);
36
37asmlinkage void crypto_aegis256_aesni_enc_tail(
38 void *state, unsigned int length, const void *src, void *dst);
39
40asmlinkage void crypto_aegis256_aesni_dec_tail(
41 void *state, unsigned int length, const void *src, void *dst);
42
43asmlinkage void crypto_aegis256_aesni_final(
44 void *state, void *tag_xor, unsigned int cryptlen,
45 unsigned int assoclen);
46
47struct aegis_block {
48 u8 bytes[AEGIS256_BLOCK_SIZE] __aligned(AEGIS256_BLOCK_ALIGN);
49};
50
51struct aegis_state {
52 struct aegis_block blocks[AEGIS256_STATE_BLOCKS];
53};
54
55struct aegis_ctx {
56 struct aegis_block key[AEGIS256_KEY_SIZE / AEGIS256_BLOCK_SIZE];
57};
58
59struct aegis_crypt_ops {
60 int (*skcipher_walk_init)(struct skcipher_walk *walk,
61 struct aead_request *req, bool atomic);
62
63 void (*crypt_blocks)(void *state, unsigned int length, const void *src,
64 void *dst);
65 void (*crypt_tail)(void *state, unsigned int length, const void *src,
66 void *dst);
67};
68
69static void crypto_aegis256_aesni_process_ad(
70 struct aegis_state *state, struct scatterlist *sg_src,
71 unsigned int assoclen)
72{
73 struct scatter_walk walk;
74 struct aegis_block buf;
75 unsigned int pos = 0;
76
77 scatterwalk_start(&walk, sg_src);
78 while (assoclen != 0) {
79 unsigned int size = scatterwalk_clamp(&walk, assoclen);
80 unsigned int left = size;
81 void *mapped = scatterwalk_map(&walk);
82 const u8 *src = (const u8 *)mapped;
83
84 if (pos + size >= AEGIS256_BLOCK_SIZE) {
85 if (pos > 0) {
86 unsigned int fill = AEGIS256_BLOCK_SIZE - pos;
87 memcpy(buf.bytes + pos, src, fill);
88 crypto_aegis256_aesni_ad(state,
89 AEGIS256_BLOCK_SIZE,
90 buf.bytes);
91 pos = 0;
92 left -= fill;
93 src += fill;
94 }
95
96 crypto_aegis256_aesni_ad(state, left, src);
97
98 src += left & ~(AEGIS256_BLOCK_SIZE - 1);
99 left &= AEGIS256_BLOCK_SIZE - 1;
100 }
101
102 memcpy(buf.bytes + pos, src, left);
103 pos += left;
104 assoclen -= size;
105
106 scatterwalk_unmap(mapped);
107 scatterwalk_advance(&walk, size);
108 scatterwalk_done(&walk, 0, assoclen);
109 }
110
111 if (pos > 0) {
112 memset(buf.bytes + pos, 0, AEGIS256_BLOCK_SIZE - pos);
113 crypto_aegis256_aesni_ad(state, AEGIS256_BLOCK_SIZE, buf.bytes);
114 }
115}
116
117static void crypto_aegis256_aesni_process_crypt(
118 struct aegis_state *state, struct skcipher_walk *walk,
119 const struct aegis_crypt_ops *ops)
120{
121 while (walk->nbytes >= AEGIS256_BLOCK_SIZE) {
122 ops->crypt_blocks(state,
123 round_down(walk->nbytes, AEGIS256_BLOCK_SIZE),
124 walk->src.virt.addr, walk->dst.virt.addr);
125 skcipher_walk_done(walk, walk->nbytes % AEGIS256_BLOCK_SIZE);
126 }
127
128 if (walk->nbytes) {
129 ops->crypt_tail(state, walk->nbytes, walk->src.virt.addr,
130 walk->dst.virt.addr);
131 skcipher_walk_done(walk, 0);
132 }
133}
134
135static struct aegis_ctx *crypto_aegis256_aesni_ctx(struct crypto_aead *aead)
136{
137 u8 *ctx = crypto_aead_ctx(aead);
138 ctx = PTR_ALIGN(ctx, __alignof__(struct aegis_ctx));
139 return (void *)ctx;
140}
141
142static int crypto_aegis256_aesni_setkey(struct crypto_aead *aead, const u8 *key,
143 unsigned int keylen)
144{
145 struct aegis_ctx *ctx = crypto_aegis256_aesni_ctx(aead);
146
147 if (keylen != AEGIS256_KEY_SIZE) {
148 crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
149 return -EINVAL;
150 }
151
152 memcpy(ctx->key, key, AEGIS256_KEY_SIZE);
153
154 return 0;
155}
156
157static int crypto_aegis256_aesni_setauthsize(struct crypto_aead *tfm,
158 unsigned int authsize)
159{
160 if (authsize > AEGIS256_MAX_AUTH_SIZE)
161 return -EINVAL;
162 if (authsize < AEGIS256_MIN_AUTH_SIZE)
163 return -EINVAL;
164 return 0;
165}
166
167static void crypto_aegis256_aesni_crypt(struct aead_request *req,
168 struct aegis_block *tag_xor,
169 unsigned int cryptlen,
170 const struct aegis_crypt_ops *ops)
171{
172 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
173 struct aegis_ctx *ctx = crypto_aegis256_aesni_ctx(tfm);
174 struct skcipher_walk walk;
175 struct aegis_state state;
176
177 ops->skcipher_walk_init(&walk, req, true);
178
179 kernel_fpu_begin();
180
181 crypto_aegis256_aesni_init(&state, ctx->key, req->iv);
182 crypto_aegis256_aesni_process_ad(&state, req->src, req->assoclen);
183 crypto_aegis256_aesni_process_crypt(&state, &walk, ops);
184 crypto_aegis256_aesni_final(&state, tag_xor, req->assoclen, cryptlen);
185
186 kernel_fpu_end();
187}
188
189static int crypto_aegis256_aesni_encrypt(struct aead_request *req)
190{
191 static const struct aegis_crypt_ops OPS = {
192 .skcipher_walk_init = skcipher_walk_aead_encrypt,
193 .crypt_blocks = crypto_aegis256_aesni_enc,
194 .crypt_tail = crypto_aegis256_aesni_enc_tail,
195 };
196
197 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
198 struct aegis_block tag = {};
199 unsigned int authsize = crypto_aead_authsize(tfm);
200 unsigned int cryptlen = req->cryptlen;
201
202 crypto_aegis256_aesni_crypt(req, &tag, cryptlen, &OPS);
203
204 scatterwalk_map_and_copy(tag.bytes, req->dst,
205 req->assoclen + cryptlen, authsize, 1);
206 return 0;
207}
208
209static int crypto_aegis256_aesni_decrypt(struct aead_request *req)
210{
211 static const struct aegis_block zeros = {};
212
213 static const struct aegis_crypt_ops OPS = {
214 .skcipher_walk_init = skcipher_walk_aead_decrypt,
215 .crypt_blocks = crypto_aegis256_aesni_dec,
216 .crypt_tail = crypto_aegis256_aesni_dec_tail,
217 };
218
219 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
220 struct aegis_block tag;
221 unsigned int authsize = crypto_aead_authsize(tfm);
222 unsigned int cryptlen = req->cryptlen - authsize;
223
224 scatterwalk_map_and_copy(tag.bytes, req->src,
225 req->assoclen + cryptlen, authsize, 0);
226
227 crypto_aegis256_aesni_crypt(req, &tag, cryptlen, &OPS);
228
229 return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0;
230}
231
232static int crypto_aegis256_aesni_init_tfm(struct crypto_aead *aead)
233{
234 return 0;
235}
236
237static void crypto_aegis256_aesni_exit_tfm(struct crypto_aead *aead)
238{
239}
240
241static struct aead_alg crypto_aegis256_aesni_alg = {
242 .setkey = crypto_aegis256_aesni_setkey,
243 .setauthsize = crypto_aegis256_aesni_setauthsize,
244 .encrypt = crypto_aegis256_aesni_encrypt,
245 .decrypt = crypto_aegis256_aesni_decrypt,
246 .init = crypto_aegis256_aesni_init_tfm,
247 .exit = crypto_aegis256_aesni_exit_tfm,
248
249 .ivsize = AEGIS256_NONCE_SIZE,
250 .maxauthsize = AEGIS256_MAX_AUTH_SIZE,
251 .chunksize = AEGIS256_BLOCK_SIZE,
252
253 .base = {
254 .cra_flags = CRYPTO_ALG_INTERNAL,
255 .cra_blocksize = 1,
256 .cra_ctxsize = sizeof(struct aegis_ctx) +
257 __alignof__(struct aegis_ctx),
258 .cra_alignmask = 0,
259 .cra_priority = 400,
260
261 .cra_name = "__aegis256",
262 .cra_driver_name = "__aegis256-aesni",
263
264 .cra_module = THIS_MODULE,
265 }
266};
267
268static struct simd_aead_alg *simd_alg;
269
270static int __init crypto_aegis256_aesni_module_init(void)
271{
272 if (!boot_cpu_has(X86_FEATURE_XMM2) ||
273 !boot_cpu_has(X86_FEATURE_AES) ||
274 !cpu_has_xfeatures(XFEATURE_MASK_SSE, NULL))
275 return -ENODEV;
276
277 return simd_register_aeads_compat(&crypto_aegis256_aesni_alg, 1,
278 &simd_alg);
279}
280
281static void __exit crypto_aegis256_aesni_module_exit(void)
282{
283 simd_unregister_aeads(&crypto_aegis256_aesni_alg, 1, &simd_alg);
284}
285
286module_init(crypto_aegis256_aesni_module_init);
287module_exit(crypto_aegis256_aesni_module_exit);
288
289MODULE_LICENSE("GPL");
290MODULE_AUTHOR("Ondrej Mosnacek <omosnacek@gmail.com>");
291MODULE_DESCRIPTION("AEGIS-256 AEAD algorithm -- AESNI+SSE2 implementation");
292MODULE_ALIAS_CRYPTO("aegis256");
293MODULE_ALIAS_CRYPTO("aegis256-aesni");
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 160dc1a9c7ec..559494bbc0db 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -306,20 +306,6 @@ config CRYPTO_AEGIS128
306 help 306 help
307 Support for the AEGIS-128 dedicated AEAD algorithm. 307 Support for the AEGIS-128 dedicated AEAD algorithm.
308 308
309config CRYPTO_AEGIS128L
310 tristate "AEGIS-128L AEAD algorithm"
311 select CRYPTO_AEAD
312 select CRYPTO_AES # for AES S-box tables
313 help
314 Support for the AEGIS-128L dedicated AEAD algorithm.
315
316config CRYPTO_AEGIS256
317 tristate "AEGIS-256 AEAD algorithm"
318 select CRYPTO_AEAD
319 select CRYPTO_AES # for AES S-box tables
320 help
321 Support for the AEGIS-256 dedicated AEAD algorithm.
322
323config CRYPTO_AEGIS128_AESNI_SSE2 309config CRYPTO_AEGIS128_AESNI_SSE2
324 tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)" 310 tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
325 depends on X86 && 64BIT 311 depends on X86 && 64BIT
@@ -328,22 +314,6 @@ config CRYPTO_AEGIS128_AESNI_SSE2
328 help 314 help
329 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm. 315 AESNI+SSE2 implementation of the AEGIS-128 dedicated AEAD algorithm.
330 316
331config CRYPTO_AEGIS128L_AESNI_SSE2
332 tristate "AEGIS-128L AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
333 depends on X86 && 64BIT
334 select CRYPTO_AEAD
335 select CRYPTO_SIMD
336 help
337 AESNI+SSE2 implementation of the AEGIS-128L dedicated AEAD algorithm.
338
339config CRYPTO_AEGIS256_AESNI_SSE2
340 tristate "AEGIS-256 AEAD algorithm (x86_64 AESNI+SSE2 implementation)"
341 depends on X86 && 64BIT
342 select CRYPTO_AEAD
343 select CRYPTO_SIMD
344 help
345 AESNI+SSE2 implementation of the AEGIS-256 dedicated AEAD algorithm.
346
347config CRYPTO_SEQIV 317config CRYPTO_SEQIV
348 tristate "Sequence Number IV Generator" 318 tristate "Sequence Number IV Generator"
349 select CRYPTO_AEAD 319 select CRYPTO_AEAD
diff --git a/crypto/Makefile b/crypto/Makefile
index 4bc1951d3787..93375e124ff7 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -90,8 +90,6 @@ obj-$(CONFIG_CRYPTO_GCM) += gcm.o
90obj-$(CONFIG_CRYPTO_CCM) += ccm.o 90obj-$(CONFIG_CRYPTO_CCM) += ccm.o
91obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o 91obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o
92obj-$(CONFIG_CRYPTO_AEGIS128) += aegis128.o 92obj-$(CONFIG_CRYPTO_AEGIS128) += aegis128.o
93obj-$(CONFIG_CRYPTO_AEGIS128L) += aegis128l.o
94obj-$(CONFIG_CRYPTO_AEGIS256) += aegis256.o
95obj-$(CONFIG_CRYPTO_PCRYPT) += pcrypt.o 93obj-$(CONFIG_CRYPTO_PCRYPT) += pcrypt.o
96obj-$(CONFIG_CRYPTO_CRYPTD) += cryptd.o 94obj-$(CONFIG_CRYPTO_CRYPTD) += cryptd.o
97obj-$(CONFIG_CRYPTO_DES) += des_generic.o 95obj-$(CONFIG_CRYPTO_DES) += des_generic.o
diff --git a/crypto/aegis128l.c b/crypto/aegis128l.c
deleted file mode 100644
index 9bca3d619a22..000000000000
--- a/crypto/aegis128l.c
+++ /dev/null
@@ -1,522 +0,0 @@
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * The AEGIS-128L Authenticated-Encryption Algorithm
4 *
5 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
6 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
7 */
8
9#include <crypto/algapi.h>
10#include <crypto/internal/aead.h>
11#include <crypto/internal/skcipher.h>
12#include <crypto/scatterwalk.h>
13#include <linux/err.h>
14#include <linux/init.h>
15#include <linux/kernel.h>
16#include <linux/module.h>
17#include <linux/scatterlist.h>
18
19#include "aegis.h"
20
21#define AEGIS128L_CHUNK_BLOCKS 2
22#define AEGIS128L_CHUNK_SIZE (AEGIS128L_CHUNK_BLOCKS * AEGIS_BLOCK_SIZE)
23#define AEGIS128L_NONCE_SIZE 16
24#define AEGIS128L_STATE_BLOCKS 8
25#define AEGIS128L_KEY_SIZE 16
26#define AEGIS128L_MIN_AUTH_SIZE 8
27#define AEGIS128L_MAX_AUTH_SIZE 16
28
29union aegis_chunk {
30 union aegis_block blocks[AEGIS128L_CHUNK_BLOCKS];
31 u8 bytes[AEGIS128L_CHUNK_SIZE];
32};
33
34struct aegis_state {
35 union aegis_block blocks[AEGIS128L_STATE_BLOCKS];
36};
37
38struct aegis_ctx {
39 union aegis_block key;
40};
41
42struct aegis128l_ops {
43 int (*skcipher_walk_init)(struct skcipher_walk *walk,
44 struct aead_request *req, bool atomic);
45
46 void (*crypt_chunk)(struct aegis_state *state, u8 *dst,
47 const u8 *src, unsigned int size);
48};
49
50static void crypto_aegis128l_update(struct aegis_state *state)
51{
52 union aegis_block tmp;
53 unsigned int i;
54
55 tmp = state->blocks[AEGIS128L_STATE_BLOCKS - 1];
56 for (i = AEGIS128L_STATE_BLOCKS - 1; i > 0; i--)
57 crypto_aegis_aesenc(&state->blocks[i], &state->blocks[i - 1],
58 &state->blocks[i]);
59 crypto_aegis_aesenc(&state->blocks[0], &tmp, &state->blocks[0]);
60}
61
62static void crypto_aegis128l_update_a(struct aegis_state *state,
63 const union aegis_chunk *msg)
64{
65 crypto_aegis128l_update(state);
66 crypto_aegis_block_xor(&state->blocks[0], &msg->blocks[0]);
67 crypto_aegis_block_xor(&state->blocks[4], &msg->blocks[1]);
68}
69
70static void crypto_aegis128l_update_u(struct aegis_state *state,
71 const void *msg)
72{
73 crypto_aegis128l_update(state);
74 crypto_xor(state->blocks[0].bytes, msg + 0 * AEGIS_BLOCK_SIZE,
75 AEGIS_BLOCK_SIZE);
76 crypto_xor(state->blocks[4].bytes, msg + 1 * AEGIS_BLOCK_SIZE,
77 AEGIS_BLOCK_SIZE);
78}
79
80static void crypto_aegis128l_init(struct aegis_state *state,
81 const union aegis_block *key,
82 const u8 *iv)
83{
84 union aegis_block key_iv;
85 union aegis_chunk chunk;
86 unsigned int i;
87
88 memcpy(chunk.blocks[0].bytes, iv, AEGIS_BLOCK_SIZE);
89 chunk.blocks[1] = *key;
90
91 key_iv = *key;
92 crypto_aegis_block_xor(&key_iv, &chunk.blocks[0]);
93
94 state->blocks[0] = key_iv;
95 state->blocks[1] = crypto_aegis_const[1];
96 state->blocks[2] = crypto_aegis_const[0];
97 state->blocks[3] = crypto_aegis_const[1];
98 state->blocks[4] = key_iv;
99 state->blocks[5] = *key;
100 state->blocks[6] = *key;
101 state->blocks[7] = *key;
102
103 crypto_aegis_block_xor(&state->blocks[5], &crypto_aegis_const[0]);
104 crypto_aegis_block_xor(&state->blocks[6], &crypto_aegis_const[1]);
105 crypto_aegis_block_xor(&state->blocks[7], &crypto_aegis_const[0]);
106
107 for (i = 0; i < 10; i++) {
108 crypto_aegis128l_update_a(state, &chunk);
109 }
110}
111
112static void crypto_aegis128l_ad(struct aegis_state *state,
113 const u8 *src, unsigned int size)
114{
115 if (AEGIS_ALIGNED(src)) {
116 const union aegis_chunk *src_chunk =
117 (const union aegis_chunk *)src;
118
119 while (size >= AEGIS128L_CHUNK_SIZE) {
120 crypto_aegis128l_update_a(state, src_chunk);
121
122 size -= AEGIS128L_CHUNK_SIZE;
123 src_chunk += 1;
124 }
125 } else {
126 while (size >= AEGIS128L_CHUNK_SIZE) {
127 crypto_aegis128l_update_u(state, src);
128
129 size -= AEGIS128L_CHUNK_SIZE;
130 src += AEGIS128L_CHUNK_SIZE;
131 }
132 }
133}
134
135static void crypto_aegis128l_encrypt_chunk(struct aegis_state *state, u8 *dst,
136 const u8 *src, unsigned int size)
137{
138 union aegis_chunk tmp;
139 union aegis_block *tmp0 = &tmp.blocks[0];
140 union aegis_block *tmp1 = &tmp.blocks[1];
141
142 if (AEGIS_ALIGNED(src) && AEGIS_ALIGNED(dst)) {
143 while (size >= AEGIS128L_CHUNK_SIZE) {
144 union aegis_chunk *dst_blk =
145 (union aegis_chunk *)dst;
146 const union aegis_chunk *src_blk =
147 (const union aegis_chunk *)src;
148
149 *tmp0 = state->blocks[2];
150 crypto_aegis_block_and(tmp0, &state->blocks[3]);
151 crypto_aegis_block_xor(tmp0, &state->blocks[6]);
152 crypto_aegis_block_xor(tmp0, &state->blocks[1]);
153 crypto_aegis_block_xor(tmp0, &src_blk->blocks[0]);
154
155 *tmp1 = state->blocks[6];
156 crypto_aegis_block_and(tmp1, &state->blocks[7]);
157 crypto_aegis_block_xor(tmp1, &state->blocks[5]);
158 crypto_aegis_block_xor(tmp1, &state->blocks[2]);
159 crypto_aegis_block_xor(tmp1, &src_blk->blocks[1]);
160
161 crypto_aegis128l_update_a(state, src_blk);
162
163 *dst_blk = tmp;
164
165 size -= AEGIS128L_CHUNK_SIZE;
166 src += AEGIS128L_CHUNK_SIZE;
167 dst += AEGIS128L_CHUNK_SIZE;
168 }
169 } else {
170 while (size >= AEGIS128L_CHUNK_SIZE) {
171 *tmp0 = state->blocks[2];
172 crypto_aegis_block_and(tmp0, &state->blocks[3]);
173 crypto_aegis_block_xor(tmp0, &state->blocks[6]);
174 crypto_aegis_block_xor(tmp0, &state->blocks[1]);
175 crypto_xor(tmp0->bytes, src + 0 * AEGIS_BLOCK_SIZE,
176 AEGIS_BLOCK_SIZE);
177
178 *tmp1 = state->blocks[6];
179 crypto_aegis_block_and(tmp1, &state->blocks[7]);
180 crypto_aegis_block_xor(tmp1, &state->blocks[5]);
181 crypto_aegis_block_xor(tmp1, &state->blocks[2]);
182 crypto_xor(tmp1->bytes, src + 1 * AEGIS_BLOCK_SIZE,
183 AEGIS_BLOCK_SIZE);
184
185 crypto_aegis128l_update_u(state, src);
186
187 memcpy(dst, tmp.bytes, AEGIS128L_CHUNK_SIZE);
188
189 size -= AEGIS128L_CHUNK_SIZE;
190 src += AEGIS128L_CHUNK_SIZE;
191 dst += AEGIS128L_CHUNK_SIZE;
192 }
193 }
194
195 if (size > 0) {
196 union aegis_chunk msg = {};
197 memcpy(msg.bytes, src, size);
198
199 *tmp0 = state->blocks[2];
200 crypto_aegis_block_and(tmp0, &state->blocks[3]);
201 crypto_aegis_block_xor(tmp0, &state->blocks[6]);
202 crypto_aegis_block_xor(tmp0, &state->blocks[1]);
203
204 *tmp1 = state->blocks[6];
205 crypto_aegis_block_and(tmp1, &state->blocks[7]);
206 crypto_aegis_block_xor(tmp1, &state->blocks[5]);
207 crypto_aegis_block_xor(tmp1, &state->blocks[2]);
208
209 crypto_aegis128l_update_a(state, &msg);
210
211 crypto_aegis_block_xor(&msg.blocks[0], tmp0);
212 crypto_aegis_block_xor(&msg.blocks[1], tmp1);
213
214 memcpy(dst, msg.bytes, size);
215 }
216}
217
218static void crypto_aegis128l_decrypt_chunk(struct aegis_state *state, u8 *dst,
219 const u8 *src, unsigned int size)
220{
221 union aegis_chunk tmp;
222 union aegis_block *tmp0 = &tmp.blocks[0];
223 union aegis_block *tmp1 = &tmp.blocks[1];
224
225 if (AEGIS_ALIGNED(src) && AEGIS_ALIGNED(dst)) {
226 while (size >= AEGIS128L_CHUNK_SIZE) {
227 union aegis_chunk *dst_blk =
228 (union aegis_chunk *)dst;
229 const union aegis_chunk *src_blk =
230 (const union aegis_chunk *)src;
231
232 *tmp0 = state->blocks[2];
233 crypto_aegis_block_and(tmp0, &state->blocks[3]);
234 crypto_aegis_block_xor(tmp0, &state->blocks[6]);
235 crypto_aegis_block_xor(tmp0, &state->blocks[1]);
236 crypto_aegis_block_xor(tmp0, &src_blk->blocks[0]);
237
238 *tmp1 = state->blocks[6];
239 crypto_aegis_block_and(tmp1, &state->blocks[7]);
240 crypto_aegis_block_xor(tmp1, &state->blocks[5]);
241 crypto_aegis_block_xor(tmp1, &state->blocks[2]);
242 crypto_aegis_block_xor(tmp1, &src_blk->blocks[1]);
243
244 crypto_aegis128l_update_a(state, &tmp);
245
246 *dst_blk = tmp;
247
248 size -= AEGIS128L_CHUNK_SIZE;
249 src += AEGIS128L_CHUNK_SIZE;
250 dst += AEGIS128L_CHUNK_SIZE;
251 }
252 } else {
253 while (size >= AEGIS128L_CHUNK_SIZE) {
254 *tmp0 = state->blocks[2];
255 crypto_aegis_block_and(tmp0, &state->blocks[3]);
256 crypto_aegis_block_xor(tmp0, &state->blocks[6]);
257 crypto_aegis_block_xor(tmp0, &state->blocks[1]);
258 crypto_xor(tmp0->bytes, src + 0 * AEGIS_BLOCK_SIZE,
259 AEGIS_BLOCK_SIZE);
260
261 *tmp1 = state->blocks[6];
262 crypto_aegis_block_and(tmp1, &state->blocks[7]);
263 crypto_aegis_block_xor(tmp1, &state->blocks[5]);
264 crypto_aegis_block_xor(tmp1, &state->blocks[2]);
265 crypto_xor(tmp1->bytes, src + 1 * AEGIS_BLOCK_SIZE,
266 AEGIS_BLOCK_SIZE);
267
268 crypto_aegis128l_update_a(state, &tmp);
269
270 memcpy(dst, tmp.bytes, AEGIS128L_CHUNK_SIZE);
271
272 size -= AEGIS128L_CHUNK_SIZE;
273 src += AEGIS128L_CHUNK_SIZE;
274 dst += AEGIS128L_CHUNK_SIZE;
275 }
276 }
277
278 if (size > 0) {
279 union aegis_chunk msg = {};
280 memcpy(msg.bytes, src, size);
281
282 *tmp0 = state->blocks[2];
283 crypto_aegis_block_and(tmp0, &state->blocks[3]);
284 crypto_aegis_block_xor(tmp0, &state->blocks[6]);
285 crypto_aegis_block_xor(tmp0, &state->blocks[1]);
286 crypto_aegis_block_xor(&msg.blocks[0], tmp0);
287
288 *tmp1 = state->blocks[6];
289 crypto_aegis_block_and(tmp1, &state->blocks[7]);
290 crypto_aegis_block_xor(tmp1, &state->blocks[5]);
291 crypto_aegis_block_xor(tmp1, &state->blocks[2]);
292 crypto_aegis_block_xor(&msg.blocks[1], tmp1);
293
294 memset(msg.bytes + size, 0, AEGIS128L_CHUNK_SIZE - size);
295
296 crypto_aegis128l_update_a(state, &msg);
297
298 memcpy(dst, msg.bytes, size);
299 }
300}
301
302static void crypto_aegis128l_process_ad(struct aegis_state *state,
303 struct scatterlist *sg_src,
304 unsigned int assoclen)
305{
306 struct scatter_walk walk;
307 union aegis_chunk buf;
308 unsigned int pos = 0;
309
310 scatterwalk_start(&walk, sg_src);
311 while (assoclen != 0) {
312 unsigned int size = scatterwalk_clamp(&walk, assoclen);
313 unsigned int left = size;
314 void *mapped = scatterwalk_map(&walk);
315 const u8 *src = (const u8 *)mapped;
316
317 if (pos + size >= AEGIS128L_CHUNK_SIZE) {
318 if (pos > 0) {
319 unsigned int fill = AEGIS128L_CHUNK_SIZE - pos;
320 memcpy(buf.bytes + pos, src, fill);
321 crypto_aegis128l_update_a(state, &buf);
322 pos = 0;
323 left -= fill;
324 src += fill;
325 }
326
327 crypto_aegis128l_ad(state, src, left);
328 src += left & ~(AEGIS128L_CHUNK_SIZE - 1);
329 left &= AEGIS128L_CHUNK_SIZE - 1;
330 }
331
332 memcpy(buf.bytes + pos, src, left);
333
334 pos += left;
335 assoclen -= size;
336 scatterwalk_unmap(mapped);
337 scatterwalk_advance(&walk, size);
338 scatterwalk_done(&walk, 0, assoclen);
339 }
340
341 if (pos > 0) {
342 memset(buf.bytes + pos, 0, AEGIS128L_CHUNK_SIZE - pos);
343 crypto_aegis128l_update_a(state, &buf);
344 }
345}
346
347static void crypto_aegis128l_process_crypt(struct aegis_state *state,
348 struct aead_request *req,
349 const struct aegis128l_ops *ops)
350{
351 struct skcipher_walk walk;
352
353 ops->skcipher_walk_init(&walk, req, false);
354
355 while (walk.nbytes) {
356 unsigned int nbytes = walk.nbytes;
357
358 if (nbytes < walk.total)
359 nbytes = round_down(nbytes, walk.stride);
360
361 ops->crypt_chunk(state, walk.dst.virt.addr, walk.src.virt.addr,
362 nbytes);
363
364 skcipher_walk_done(&walk, walk.nbytes - nbytes);
365 }
366}
367
368static void crypto_aegis128l_final(struct aegis_state *state,
369 union aegis_block *tag_xor,
370 u64 assoclen, u64 cryptlen)
371{
372 u64 assocbits = assoclen * 8;
373 u64 cryptbits = cryptlen * 8;
374
375 union aegis_chunk tmp;
376 unsigned int i;
377
378 tmp.blocks[0].words64[0] = cpu_to_le64(assocbits);
379 tmp.blocks[0].words64[1] = cpu_to_le64(cryptbits);
380
381 crypto_aegis_block_xor(&tmp.blocks[0], &state->blocks[2]);
382
383 tmp.blocks[1] = tmp.blocks[0];
384 for (i = 0; i < 7; i++)
385 crypto_aegis128l_update_a(state, &tmp);
386
387 for (i = 0; i < 7; i++)
388 crypto_aegis_block_xor(tag_xor, &state->blocks[i]);
389}
390
391static int crypto_aegis128l_setkey(struct crypto_aead *aead, const u8 *key,
392 unsigned int keylen)
393{
394 struct aegis_ctx *ctx = crypto_aead_ctx(aead);
395
396 if (keylen != AEGIS128L_KEY_SIZE) {
397 crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
398 return -EINVAL;
399 }
400
401 memcpy(ctx->key.bytes, key, AEGIS128L_KEY_SIZE);
402 return 0;
403}
404
405static int crypto_aegis128l_setauthsize(struct crypto_aead *tfm,
406 unsigned int authsize)
407{
408 if (authsize > AEGIS128L_MAX_AUTH_SIZE)
409 return -EINVAL;
410 if (authsize < AEGIS128L_MIN_AUTH_SIZE)
411 return -EINVAL;
412 return 0;
413}
414
415static void crypto_aegis128l_crypt(struct aead_request *req,
416 union aegis_block *tag_xor,
417 unsigned int cryptlen,
418 const struct aegis128l_ops *ops)
419{
420 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
421 struct aegis_ctx *ctx = crypto_aead_ctx(tfm);
422 struct aegis_state state;
423
424 crypto_aegis128l_init(&state, &ctx->key, req->iv);
425 crypto_aegis128l_process_ad(&state, req->src, req->assoclen);
426 crypto_aegis128l_process_crypt(&state, req, ops);
427 crypto_aegis128l_final(&state, tag_xor, req->assoclen, cryptlen);
428}
429
430static int crypto_aegis128l_encrypt(struct aead_request *req)
431{
432 static const struct aegis128l_ops ops = {
433 .skcipher_walk_init = skcipher_walk_aead_encrypt,
434 .crypt_chunk = crypto_aegis128l_encrypt_chunk,
435 };
436
437 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
438 union aegis_block tag = {};
439 unsigned int authsize = crypto_aead_authsize(tfm);
440 unsigned int cryptlen = req->cryptlen;
441
442 crypto_aegis128l_crypt(req, &tag, cryptlen, &ops);
443
444 scatterwalk_map_and_copy(tag.bytes, req->dst, req->assoclen + cryptlen,
445 authsize, 1);
446 return 0;
447}
448
449static int crypto_aegis128l_decrypt(struct aead_request *req)
450{
451 static const struct aegis128l_ops ops = {
452 .skcipher_walk_init = skcipher_walk_aead_decrypt,
453 .crypt_chunk = crypto_aegis128l_decrypt_chunk,
454 };
455 static const u8 zeros[AEGIS128L_MAX_AUTH_SIZE] = {};
456
457 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
458 union aegis_block tag;
459 unsigned int authsize = crypto_aead_authsize(tfm);
460 unsigned int cryptlen = req->cryptlen - authsize;
461
462 scatterwalk_map_and_copy(tag.bytes, req->src, req->assoclen + cryptlen,
463 authsize, 0);
464
465 crypto_aegis128l_crypt(req, &tag, cryptlen, &ops);
466
467 return crypto_memneq(tag.bytes, zeros, authsize) ? -EBADMSG : 0;
468}
469
470static int crypto_aegis128l_init_tfm(struct crypto_aead *tfm)
471{
472 return 0;
473}
474
475static void crypto_aegis128l_exit_tfm(struct crypto_aead *tfm)
476{
477}
478
479static struct aead_alg crypto_aegis128l_alg = {
480 .setkey = crypto_aegis128l_setkey,
481 .setauthsize = crypto_aegis128l_setauthsize,
482 .encrypt = crypto_aegis128l_encrypt,
483 .decrypt = crypto_aegis128l_decrypt,
484 .init = crypto_aegis128l_init_tfm,
485 .exit = crypto_aegis128l_exit_tfm,
486
487 .ivsize = AEGIS128L_NONCE_SIZE,
488 .maxauthsize = AEGIS128L_MAX_AUTH_SIZE,
489 .chunksize = AEGIS128L_CHUNK_SIZE,
490
491 .base = {
492 .cra_blocksize = 1,
493 .cra_ctxsize = sizeof(struct aegis_ctx),
494 .cra_alignmask = 0,
495
496 .cra_priority = 100,
497
498 .cra_name = "aegis128l",
499 .cra_driver_name = "aegis128l-generic",
500
501 .cra_module = THIS_MODULE,
502 }
503};
504
505static int __init crypto_aegis128l_module_init(void)
506{
507 return crypto_register_aead(&crypto_aegis128l_alg);
508}
509
510static void __exit crypto_aegis128l_module_exit(void)
511{
512 crypto_unregister_aead(&crypto_aegis128l_alg);
513}
514
515subsys_initcall(crypto_aegis128l_module_init);
516module_exit(crypto_aegis128l_module_exit);
517
518MODULE_LICENSE("GPL");
519MODULE_AUTHOR("Ondrej Mosnacek <omosnacek@gmail.com>");
520MODULE_DESCRIPTION("AEGIS-128L AEAD algorithm");
521MODULE_ALIAS_CRYPTO("aegis128l");
522MODULE_ALIAS_CRYPTO("aegis128l-generic");
diff --git a/crypto/aegis256.c b/crypto/aegis256.c
deleted file mode 100644
index b47fd39595ad..000000000000
--- a/crypto/aegis256.c
+++ /dev/null
@@ -1,473 +0,0 @@
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * The AEGIS-256 Authenticated-Encryption Algorithm
4 *
5 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
6 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
7 */
8
9#include <crypto/algapi.h>
10#include <crypto/internal/aead.h>
11#include <crypto/internal/skcipher.h>
12#include <crypto/scatterwalk.h>
13#include <linux/err.h>
14#include <linux/init.h>
15#include <linux/kernel.h>
16#include <linux/module.h>
17#include <linux/scatterlist.h>
18
19#include "aegis.h"
20
21#define AEGIS256_NONCE_SIZE 32
22#define AEGIS256_STATE_BLOCKS 6
23#define AEGIS256_KEY_SIZE 32
24#define AEGIS256_MIN_AUTH_SIZE 8
25#define AEGIS256_MAX_AUTH_SIZE 16
26
27struct aegis_state {
28 union aegis_block blocks[AEGIS256_STATE_BLOCKS];
29};
30
31struct aegis_ctx {
32 union aegis_block key[AEGIS256_KEY_SIZE / AEGIS_BLOCK_SIZE];
33};
34
35struct aegis256_ops {
36 int (*skcipher_walk_init)(struct skcipher_walk *walk,
37 struct aead_request *req, bool atomic);
38
39 void (*crypt_chunk)(struct aegis_state *state, u8 *dst,
40 const u8 *src, unsigned int size);
41};
42
43static void crypto_aegis256_update(struct aegis_state *state)
44{
45 union aegis_block tmp;
46 unsigned int i;
47
48 tmp = state->blocks[AEGIS256_STATE_BLOCKS - 1];
49 for (i = AEGIS256_STATE_BLOCKS - 1; i > 0; i--)
50 crypto_aegis_aesenc(&state->blocks[i], &state->blocks[i - 1],
51 &state->blocks[i]);
52 crypto_aegis_aesenc(&state->blocks[0], &tmp, &state->blocks[0]);
53}
54
55static void crypto_aegis256_update_a(struct aegis_state *state,
56 const union aegis_block *msg)
57{
58 crypto_aegis256_update(state);
59 crypto_aegis_block_xor(&state->blocks[0], msg);
60}
61
62static void crypto_aegis256_update_u(struct aegis_state *state, const void *msg)
63{
64 crypto_aegis256_update(state);
65 crypto_xor(state->blocks[0].bytes, msg, AEGIS_BLOCK_SIZE);
66}
67
68static void crypto_aegis256_init(struct aegis_state *state,
69 const union aegis_block *key,
70 const u8 *iv)
71{
72 union aegis_block key_iv[2];
73 unsigned int i;
74
75 key_iv[0] = key[0];
76 key_iv[1] = key[1];
77 crypto_xor(key_iv[0].bytes, iv + 0 * AEGIS_BLOCK_SIZE,
78 AEGIS_BLOCK_SIZE);
79 crypto_xor(key_iv[1].bytes, iv + 1 * AEGIS_BLOCK_SIZE,
80 AEGIS_BLOCK_SIZE);
81
82 state->blocks[0] = key_iv[0];
83 state->blocks[1] = key_iv[1];
84 state->blocks[2] = crypto_aegis_const[1];
85 state->blocks[3] = crypto_aegis_const[0];
86 state->blocks[4] = key[0];
87 state->blocks[5] = key[1];
88
89 crypto_aegis_block_xor(&state->blocks[4], &crypto_aegis_const[0]);
90 crypto_aegis_block_xor(&state->blocks[5], &crypto_aegis_const[1]);
91
92 for (i = 0; i < 4; i++) {
93 crypto_aegis256_update_a(state, &key[0]);
94 crypto_aegis256_update_a(state, &key[1]);
95 crypto_aegis256_update_a(state, &key_iv[0]);
96 crypto_aegis256_update_a(state, &key_iv[1]);
97 }
98}
99
100static void crypto_aegis256_ad(struct aegis_state *state,
101 const u8 *src, unsigned int size)
102{
103 if (AEGIS_ALIGNED(src)) {
104 const union aegis_block *src_blk =
105 (const union aegis_block *)src;
106
107 while (size >= AEGIS_BLOCK_SIZE) {
108 crypto_aegis256_update_a(state, src_blk);
109
110 size -= AEGIS_BLOCK_SIZE;
111 src_blk++;
112 }
113 } else {
114 while (size >= AEGIS_BLOCK_SIZE) {
115 crypto_aegis256_update_u(state, src);
116
117 size -= AEGIS_BLOCK_SIZE;
118 src += AEGIS_BLOCK_SIZE;
119 }
120 }
121}
122
123static void crypto_aegis256_encrypt_chunk(struct aegis_state *state, u8 *dst,
124 const u8 *src, unsigned int size)
125{
126 union aegis_block tmp;
127
128 if (AEGIS_ALIGNED(src) && AEGIS_ALIGNED(dst)) {
129 while (size >= AEGIS_BLOCK_SIZE) {
130 union aegis_block *dst_blk =
131 (union aegis_block *)dst;
132 const union aegis_block *src_blk =
133 (const union aegis_block *)src;
134
135 tmp = state->blocks[2];
136 crypto_aegis_block_and(&tmp, &state->blocks[3]);
137 crypto_aegis_block_xor(&tmp, &state->blocks[5]);
138 crypto_aegis_block_xor(&tmp, &state->blocks[4]);
139 crypto_aegis_block_xor(&tmp, &state->blocks[1]);
140 crypto_aegis_block_xor(&tmp, src_blk);
141
142 crypto_aegis256_update_a(state, src_blk);
143
144 *dst_blk = tmp;
145
146 size -= AEGIS_BLOCK_SIZE;
147 src += AEGIS_BLOCK_SIZE;
148 dst += AEGIS_BLOCK_SIZE;
149 }
150 } else {
151 while (size >= AEGIS_BLOCK_SIZE) {
152 tmp = state->blocks[2];
153 crypto_aegis_block_and(&tmp, &state->blocks[3]);
154 crypto_aegis_block_xor(&tmp, &state->blocks[5]);
155 crypto_aegis_block_xor(&tmp, &state->blocks[4]);
156 crypto_aegis_block_xor(&tmp, &state->blocks[1]);
157 crypto_xor(tmp.bytes, src, AEGIS_BLOCK_SIZE);
158
159 crypto_aegis256_update_u(state, src);
160
161 memcpy(dst, tmp.bytes, AEGIS_BLOCK_SIZE);
162
163 size -= AEGIS_BLOCK_SIZE;
164 src += AEGIS_BLOCK_SIZE;
165 dst += AEGIS_BLOCK_SIZE;
166 }
167 }
168
169 if (size > 0) {
170 union aegis_block msg = {};
171 memcpy(msg.bytes, src, size);
172
173 tmp = state->blocks[2];
174 crypto_aegis_block_and(&tmp, &state->blocks[3]);
175 crypto_aegis_block_xor(&tmp, &state->blocks[5]);
176 crypto_aegis_block_xor(&tmp, &state->blocks[4]);
177 crypto_aegis_block_xor(&tmp, &state->blocks[1]);
178
179 crypto_aegis256_update_a(state, &msg);
180
181 crypto_aegis_block_xor(&msg, &tmp);
182
183 memcpy(dst, msg.bytes, size);
184 }
185}
186
187static void crypto_aegis256_decrypt_chunk(struct aegis_state *state, u8 *dst,
188 const u8 *src, unsigned int size)
189{
190 union aegis_block tmp;
191
192 if (AEGIS_ALIGNED(src) && AEGIS_ALIGNED(dst)) {
193 while (size >= AEGIS_BLOCK_SIZE) {
194 union aegis_block *dst_blk =
195 (union aegis_block *)dst;
196 const union aegis_block *src_blk =
197 (const union aegis_block *)src;
198
199 tmp = state->blocks[2];
200 crypto_aegis_block_and(&tmp, &state->blocks[3]);
201 crypto_aegis_block_xor(&tmp, &state->blocks[5]);
202 crypto_aegis_block_xor(&tmp, &state->blocks[4]);
203 crypto_aegis_block_xor(&tmp, &state->blocks[1]);
204 crypto_aegis_block_xor(&tmp, src_blk);
205
206 crypto_aegis256_update_a(state, &tmp);
207
208 *dst_blk = tmp;
209
210 size -= AEGIS_BLOCK_SIZE;
211 src += AEGIS_BLOCK_SIZE;
212 dst += AEGIS_BLOCK_SIZE;
213 }
214 } else {
215 while (size >= AEGIS_BLOCK_SIZE) {
216 tmp = state->blocks[2];
217 crypto_aegis_block_and(&tmp, &state->blocks[3]);
218 crypto_aegis_block_xor(&tmp, &state->blocks[5]);
219 crypto_aegis_block_xor(&tmp, &state->blocks[4]);
220 crypto_aegis_block_xor(&tmp, &state->blocks[1]);
221 crypto_xor(tmp.bytes, src, AEGIS_BLOCK_SIZE);
222
223 crypto_aegis256_update_a(state, &tmp);
224
225 memcpy(dst, tmp.bytes, AEGIS_BLOCK_SIZE);
226
227 size -= AEGIS_BLOCK_SIZE;
228 src += AEGIS_BLOCK_SIZE;
229 dst += AEGIS_BLOCK_SIZE;
230 }
231 }
232
233 if (size > 0) {
234 union aegis_block msg = {};
235 memcpy(msg.bytes, src, size);
236
237 tmp = state->blocks[2];
238 crypto_aegis_block_and(&tmp, &state->blocks[3]);
239 crypto_aegis_block_xor(&tmp, &state->blocks[5]);
240 crypto_aegis_block_xor(&tmp, &state->blocks[4]);
241 crypto_aegis_block_xor(&tmp, &state->blocks[1]);
242 crypto_aegis_block_xor(&msg, &tmp);
243
244 memset(msg.bytes + size, 0, AEGIS_BLOCK_SIZE - size);
245
246 crypto_aegis256_update_a(state, &msg);
247
248 memcpy(dst, msg.bytes, size);
249 }
250}
251
252static void crypto_aegis256_process_ad(struct aegis_state *state,
253 struct scatterlist *sg_src,
254 unsigned int assoclen)
255{
256 struct scatter_walk walk;
257 union aegis_block buf;
258 unsigned int pos = 0;
259
260 scatterwalk_start(&walk, sg_src);
261 while (assoclen != 0) {
262 unsigned int size = scatterwalk_clamp(&walk, assoclen);
263 unsigned int left = size;
264 void *mapped = scatterwalk_map(&walk);
265 const u8 *src = (const u8 *)mapped;
266
267 if (pos + size >= AEGIS_BLOCK_SIZE) {
268 if (pos > 0) {
269 unsigned int fill = AEGIS_BLOCK_SIZE - pos;
270 memcpy(buf.bytes + pos, src, fill);
271 crypto_aegis256_update_a(state, &buf);
272 pos = 0;
273 left -= fill;
274 src += fill;
275 }
276
277 crypto_aegis256_ad(state, src, left);
278 src += left & ~(AEGIS_BLOCK_SIZE - 1);
279 left &= AEGIS_BLOCK_SIZE - 1;
280 }
281
282 memcpy(buf.bytes + pos, src, left);
283
284 pos += left;
285 assoclen -= size;
286 scatterwalk_unmap(mapped);
287 scatterwalk_advance(&walk, size);
288 scatterwalk_done(&walk, 0, assoclen);
289 }
290
291 if (pos > 0) {
292 memset(buf.bytes + pos, 0, AEGIS_BLOCK_SIZE - pos);
293 crypto_aegis256_update_a(state, &buf);
294 }
295}
296
297static void crypto_aegis256_process_crypt(struct aegis_state *state,
298 struct aead_request *req,
299 const struct aegis256_ops *ops)
300{
301 struct skcipher_walk walk;
302
303 ops->skcipher_walk_init(&walk, req, false);
304
305 while (walk.nbytes) {
306 unsigned int nbytes = walk.nbytes;
307
308 if (nbytes < walk.total)
309 nbytes = round_down(nbytes, walk.stride);
310
311 ops->crypt_chunk(state, walk.dst.virt.addr, walk.src.virt.addr,
312 nbytes);
313
314 skcipher_walk_done(&walk, walk.nbytes - nbytes);
315 }
316}
317
318static void crypto_aegis256_final(struct aegis_state *state,
319 union aegis_block *tag_xor,
320 u64 assoclen, u64 cryptlen)
321{
322 u64 assocbits = assoclen * 8;
323 u64 cryptbits = cryptlen * 8;
324
325 union aegis_block tmp;
326 unsigned int i;
327
328 tmp.words64[0] = cpu_to_le64(assocbits);
329 tmp.words64[1] = cpu_to_le64(cryptbits);
330
331 crypto_aegis_block_xor(&tmp, &state->blocks[3]);
332
333 for (i = 0; i < 7; i++)
334 crypto_aegis256_update_a(state, &tmp);
335
336 for (i = 0; i < AEGIS256_STATE_BLOCKS; i++)
337 crypto_aegis_block_xor(tag_xor, &state->blocks[i]);
338}
339
340static int crypto_aegis256_setkey(struct crypto_aead *aead, const u8 *key,
341 unsigned int keylen)
342{
343 struct aegis_ctx *ctx = crypto_aead_ctx(aead);
344
345 if (keylen != AEGIS256_KEY_SIZE) {
346 crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
347 return -EINVAL;
348 }
349
350 memcpy(ctx->key[0].bytes, key, AEGIS_BLOCK_SIZE);
351 memcpy(ctx->key[1].bytes, key + AEGIS_BLOCK_SIZE,
352 AEGIS_BLOCK_SIZE);
353 return 0;
354}
355
356static int crypto_aegis256_setauthsize(struct crypto_aead *tfm,
357 unsigned int authsize)
358{
359 if (authsize > AEGIS256_MAX_AUTH_SIZE)
360 return -EINVAL;
361 if (authsize < AEGIS256_MIN_AUTH_SIZE)
362 return -EINVAL;
363 return 0;
364}
365
366static void crypto_aegis256_crypt(struct aead_request *req,
367 union aegis_block *tag_xor,
368 unsigned int cryptlen,
369 const struct aegis256_ops *ops)
370{
371 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
372 struct aegis_ctx *ctx = crypto_aead_ctx(tfm);
373 struct aegis_state state;
374
375 crypto_aegis256_init(&state, ctx->key, req->iv);
376 crypto_aegis256_process_ad(&state, req->src, req->assoclen);
377 crypto_aegis256_process_crypt(&state, req, ops);
378 crypto_aegis256_final(&state, tag_xor, req->assoclen, cryptlen);
379}
380
381static int crypto_aegis256_encrypt(struct aead_request *req)
382{
383 static const struct aegis256_ops ops = {
384 .skcipher_walk_init = skcipher_walk_aead_encrypt,
385 .crypt_chunk = crypto_aegis256_encrypt_chunk,
386 };
387
388 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
389 union aegis_block tag = {};
390 unsigned int authsize = crypto_aead_authsize(tfm);
391 unsigned int cryptlen = req->cryptlen;
392
393 crypto_aegis256_crypt(req, &tag, cryptlen, &ops);
394
395 scatterwalk_map_and_copy(tag.bytes, req->dst, req->assoclen + cryptlen,
396 authsize, 1);
397 return 0;
398}
399
400static int crypto_aegis256_decrypt(struct aead_request *req)
401{
402 static const struct aegis256_ops ops = {
403 .skcipher_walk_init = skcipher_walk_aead_decrypt,
404 .crypt_chunk = crypto_aegis256_decrypt_chunk,
405 };
406 static const u8 zeros[AEGIS256_MAX_AUTH_SIZE] = {};
407
408 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
409 union aegis_block tag;
410 unsigned int authsize = crypto_aead_authsize(tfm);
411 unsigned int cryptlen = req->cryptlen - authsize;
412
413 scatterwalk_map_and_copy(tag.bytes, req->src, req->assoclen + cryptlen,
414 authsize, 0);
415
416 crypto_aegis256_crypt(req, &tag, cryptlen, &ops);
417
418 return crypto_memneq(tag.bytes, zeros, authsize) ? -EBADMSG : 0;
419}
420
421static int crypto_aegis256_init_tfm(struct crypto_aead *tfm)
422{
423 return 0;
424}
425
426static void crypto_aegis256_exit_tfm(struct crypto_aead *tfm)
427{
428}
429
430static struct aead_alg crypto_aegis256_alg = {
431 .setkey = crypto_aegis256_setkey,
432 .setauthsize = crypto_aegis256_setauthsize,
433 .encrypt = crypto_aegis256_encrypt,
434 .decrypt = crypto_aegis256_decrypt,
435 .init = crypto_aegis256_init_tfm,
436 .exit = crypto_aegis256_exit_tfm,
437
438 .ivsize = AEGIS256_NONCE_SIZE,
439 .maxauthsize = AEGIS256_MAX_AUTH_SIZE,
440 .chunksize = AEGIS_BLOCK_SIZE,
441
442 .base = {
443 .cra_blocksize = 1,
444 .cra_ctxsize = sizeof(struct aegis_ctx),
445 .cra_alignmask = 0,
446
447 .cra_priority = 100,
448
449 .cra_name = "aegis256",
450 .cra_driver_name = "aegis256-generic",
451
452 .cra_module = THIS_MODULE,
453 }
454};
455
456static int __init crypto_aegis256_module_init(void)
457{
458 return crypto_register_aead(&crypto_aegis256_alg);
459}
460
461static void __exit crypto_aegis256_module_exit(void)
462{
463 crypto_unregister_aead(&crypto_aegis256_alg);
464}
465
466subsys_initcall(crypto_aegis256_module_init);
467module_exit(crypto_aegis256_module_exit);
468
469MODULE_LICENSE("GPL");
470MODULE_AUTHOR("Ondrej Mosnacek <omosnacek@gmail.com>");
471MODULE_DESCRIPTION("AEGIS-256 AEAD algorithm");
472MODULE_ALIAS_CRYPTO("aegis256");
473MODULE_ALIAS_CRYPTO("aegis256-generic");
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 6258581aa628..d990eba723cd 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -3887,18 +3887,6 @@ static const struct alg_test_desc alg_test_descs[] = {
3887 .aead = __VECS(aegis128_tv_template) 3887 .aead = __VECS(aegis128_tv_template)
3888 } 3888 }
3889 }, { 3889 }, {
3890 .alg = "aegis128l",
3891 .test = alg_test_aead,
3892 .suite = {
3893 .aead = __VECS(aegis128l_tv_template)
3894 }
3895 }, {
3896 .alg = "aegis256",
3897 .test = alg_test_aead,
3898 .suite = {
3899 .aead = __VECS(aegis256_tv_template)
3900 }
3901 }, {
3902 .alg = "ansi_cprng", 3890 .alg = "ansi_cprng",
3903 .test = alg_test_cprng, 3891 .test = alg_test_cprng,
3904 .suite = { 3892 .suite = {
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index fca03fa018fc..154052d07818 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -19489,990 +19489,6 @@ static const struct aead_testvec aegis128_tv_template[] = {
19489}; 19489};
19490 19490
19491/* 19491/*
19492 * AEGIS-128L test vectors - generated via reference implementation from
19493 * SUPERCOP (https://bench.cr.yp.to/supercop.html):
19494 *
19495 * https://bench.cr.yp.to/supercop/supercop-20170228.tar.xz
19496 * (see crypto_aead/aegis128l/)
19497 */
19498static const struct aead_testvec aegis128l_tv_template[] = {
19499 {
19500 .key = "\x0f\xc9\x8e\x67\x44\x9e\xaa\x86"
19501 "\x20\x36\x2c\x24\xfe\xc9\x30\x81",
19502 .klen = 16,
19503 .iv = "\x1e\x92\x1c\xcf\x88\x3d\x54\x0d"
19504 "\x40\x6d\x59\x48\xfc\x92\x61\x03",
19505 .assoc = "",
19506 .alen = 0,
19507 .ptext = "",
19508 .plen = 0,
19509 .ctext = "\x30\x4f\xf3\xe9\xb1\xfa\x81\xa6"
19510 "\x20\x72\x78\xdd\x93\xc8\x57\xef",
19511 .clen = 16,
19512 }, {
19513 .key = "\x4b\xed\xc8\x07\x54\x1a\x52\xa2"
19514 "\xa1\x10\xde\xb5\xf8\xed\xf3\x87",
19515 .klen = 16,
19516 .iv = "\x5a\xb7\x56\x6e\x98\xb9\xfd\x29"
19517 "\xc1\x47\x0b\xda\xf6\xb6\x23\x09",
19518 .assoc = "",
19519 .alen = 0,
19520 .ptext = "\x79",
19521 .plen = 1,
19522 .ctext = "\xa9\x24\xa0\xb6\x2d\xdd\x29\xdb"
19523 "\x40\xb3\x71\xc5\x22\x58\x31\x77"
19524 "\x6d",
19525 .clen = 17,
19526 }, {
19527 .key = "\x88\x12\x01\xa6\x64\x96\xfb\xbe"
19528 "\x22\xea\x90\x47\xf2\x11\xb5\x8e",
19529 .klen = 16,
19530 .iv = "\x97\xdb\x90\x0e\xa8\x35\xa5\x45"
19531 "\x42\x21\xbd\x6b\xf0\xda\xe6\x0f",
19532 .assoc = "",
19533 .alen = 0,
19534 .ptext = "\xb5\x6e\xad\xdd\x30\x72\xfa\x53"
19535 "\x82\x8e\x16\xb4\xed\x6d\x47",
19536 .plen = 15,
19537 .ctext = "\xbb\x0a\x53\xc4\xaa\x7e\xa4\x03"
19538 "\x2b\xee\x62\x99\x7b\x98\x13\x1f"
19539 "\xe0\x76\x4c\x2e\x53\x99\x4f\xbe"
19540 "\xe1\xa8\x04\x7f\xe1\x71\xbe",
19541 .clen = 31,
19542 }, {
19543 .key = "\xc4\x37\x3b\x45\x74\x11\xa4\xda"
19544 "\xa2\xc5\x42\xd8\xec\x36\x78\x94",
19545 .klen = 16,
19546 .iv = "\xd3\x00\xc9\xad\xb8\xb0\x4e\x61"
19547 "\xc3\xfb\x6f\xfd\xea\xff\xa9\x15",
19548 .assoc = "",
19549 .alen = 0,
19550 .ptext = "\xf2\x92\xe6\x7d\x40\xee\xa3\x6f"
19551 "\x03\x68\xc8\x45\xe7\x91\x0a\x18",
19552 .plen = 16,
19553 .ctext = "\x66\xdf\x6e\x71\xc0\x6e\xa4\x4c"
19554 "\x9d\xb7\x8c\x9a\xdb\x1f\xd2\x2e"
19555 "\x23\xb6\xa4\xfb\xd3\x86\xdd\xbb"
19556 "\xde\x54\x9b\xf5\x92\x8b\x93\xc5",
19557 .clen = 32,
19558 }, {
19559 .key = "\x01\x5c\x75\xe5\x84\x8d\x4d\xf6"
19560 "\x23\x9f\xf4\x6a\xe6\x5a\x3b\x9a",
19561 .klen = 16,
19562 .iv = "\x10\x25\x03\x4c\xc8\x2c\xf7\x7d"
19563 "\x44\xd5\x21\x8e\xe4\x23\x6b\x1c",
19564 .assoc = "",
19565 .alen = 0,
19566 .ptext = "\x2e\xb7\x20\x1c\x50\x6a\x4b\x8b"
19567 "\x84\x42\x7a\xd7\xe1\xb5\xcd\x1f"
19568 "\xd3",
19569 .plen = 17,
19570 .ctext = "\x4f\xc3\x69\xb6\xd3\xa4\x64\x8b"
19571 "\x71\xc3\x8a\x91\x22\x4f\x1b\xd2"
19572 "\x33\x6d\x86\xbc\xf8\x2f\x06\xf9"
19573 "\x82\x64\xc7\x72\x00\x30\xfc\xf0"
19574 "\xf8",
19575 .clen = 33,
19576 }, {
19577 .key = "\x3d\x80\xae\x84\x94\x09\xf6\x12"
19578 "\xa4\x79\xa6\xfb\xe0\x7f\xfd\xa0",
19579 .klen = 16,
19580 .iv = "\x4c\x49\x3d\xec\xd8\xa8\xa0\x98"
19581 "\xc5\xb0\xd3\x1f\xde\x48\x2e\x22",
19582 .assoc = "",
19583 .alen = 0,
19584 .ptext = "\x6b\xdc\x5a\xbb\x60\xe5\xf4\xa6"
19585 "\x05\x1d\x2c\x68\xdb\xda\x8f\x25"
19586 "\xfe\x8d\x45\x19\x1e\xc0\x0b\x99"
19587 "\x88\x11\x39\x12\x1c\x3a\xbb",
19588 .plen = 31,
19589 .ctext = "\xe3\x93\x15\xae\x5f\x9d\x3c\xb5"
19590 "\xd6\x9d\xee\xee\xcf\xaa\xaf\xe1"
19591 "\x45\x10\x96\xe0\xbf\x55\x0f\x4c"
19592 "\x1a\xfd\xf4\xda\x4e\x10\xde\xc9"
19593 "\x0e\x6f\xc7\x3c\x49\x94\x41\xfc"
19594 "\x59\x28\x88\x3c\x79\x10\x6b",
19595 .clen = 47,
19596 }, {
19597 .key = "\x7a\xa5\xe8\x23\xa4\x84\x9e\x2d"
19598 "\x25\x53\x58\x8c\xda\xa3\xc0\xa6",
19599 .klen = 16,
19600 .iv = "\x89\x6e\x77\x8b\xe8\x23\x49\xb4"
19601 "\x45\x8a\x85\xb1\xd8\x6c\xf1\x28",
19602 .assoc = "",
19603 .alen = 0,
19604 .ptext = "\xa7\x00\x93\x5b\x70\x61\x9d\xc2"
19605 "\x86\xf7\xde\xfa\xd5\xfe\x52\x2b"
19606 "\x28\x50\x51\x9d\x24\x60\x8d\xb3"
19607 "\x49\x3e\x17\xea\xf6\x99\x5a\xdd",
19608 .plen = 32,
19609 .ctext = "\x1c\x8e\x22\x34\xfd\xab\xe6\x0d"
19610 "\x1c\x9f\x06\x54\x8b\x0b\xb4\x40"
19611 "\xde\x11\x59\x3e\xfd\x74\xf6\x42"
19612 "\x97\x17\xf7\x24\xb6\x7e\xc4\xc6"
19613 "\x06\xa3\x94\xda\x3d\x7f\x55\x0a"
19614 "\x92\x07\x2f\xa6\xf3\x6b\x2c\xfc",
19615 .clen = 48,
19616 }, {
19617 .key = "\xb6\xca\x22\xc3\xb4\x00\x47\x49"
19618 "\xa6\x2d\x0a\x1e\xd4\xc7\x83\xad",
19619 .klen = 16,
19620 .iv = "\xc5\x93\xb0\x2a\xf8\x9f\xf1\xd0"
19621 "\xc6\x64\x37\x42\xd2\x90\xb3\x2e",
19622 .assoc = "\xd5",
19623 .alen = 1,
19624 .ptext = "",
19625 .plen = 0,
19626 .ctext = "\xa0\x2a\xb4\x9a\x91\x00\x15\xb8"
19627 "\x0f\x9a\x15\x60\x0e\x9b\x13\x8f",
19628 .clen = 16,
19629 }, {
19630 .key = "\xf3\xee\x5c\x62\xc4\x7c\xf0\x65"
19631 "\x27\x08\xbd\xaf\xce\xec\x45\xb3",
19632 .klen = 16,
19633 .iv = "\x02\xb8\xea\xca\x09\x1b\x9a\xec"
19634 "\x47\x3e\xe9\xd4\xcc\xb5\x76\x34",
19635 .assoc = "\x11\x81\x78\x32\x4d\xb9\x44\x73"
19636 "\x68\x75\x16\xf8\xcb\x7e\xa7",
19637 .alen = 15,
19638 .ptext = "",
19639 .plen = 0,
19640 .ctext = "\x4c\x26\xad\x9c\x14\xfd\x9c\x8c"
19641 "\x84\xfb\x26\xfb\xd5\xca\x62\x39",
19642 .clen = 16,
19643 }, {
19644 .key = "\x2f\x13\x95\x01\xd5\xf7\x99\x81"
19645 "\xa8\xe2\x6f\x41\xc8\x10\x08\xb9",
19646 .klen = 16,
19647 .iv = "\x3f\xdc\x24\x69\x19\x96\x43\x08"
19648 "\xc8\x18\x9b\x65\xc6\xd9\x39\x3b",
19649 .assoc = "\x4e\xa5\xb2\xd1\x5d\x35\xed\x8f"
19650 "\xe8\x4f\xc8\x89\xc5\xa2\x69\xbc",
19651 .alen = 16,
19652 .ptext = "",
19653 .plen = 0,
19654 .ctext = "\x45\x85\x0e\x0f\xf4\xae\x96\xa1"
19655 "\x99\x4d\x6d\xb4\x67\x32\xb0\x3a",
19656 .clen = 16,
19657 }, {
19658 .key = "\x6c\x38\xcf\xa1\xe5\x73\x41\x9d"
19659 "\x29\xbc\x21\xd2\xc2\x35\xcb\xbf",
19660 .klen = 16,
19661 .iv = "\x7b\x01\x5d\x08\x29\x12\xec\x24"
19662 "\x49\xf3\x4d\xf7\xc0\xfe\xfb\x41",
19663 .assoc = "\x8a\xca\xec\x70\x6d\xb1\x96\xab"
19664 "\x69\x29\x7a\x1b\xbf\xc7\x2c\xc2"
19665 "\x07",
19666 .alen = 17,
19667 .ptext = "",
19668 .plen = 0,
19669 .ctext = "\x33\xb1\x42\x97\x8e\x16\x7b\x63"
19670 "\x06\xba\x5b\xcb\xae\x6d\x8b\x56",
19671 .clen = 16,
19672 }, {
19673 .key = "\xa8\x5c\x09\x40\xf5\xef\xea\xb8"
19674 "\xaa\x96\xd3\x64\xbc\x59\x8d\xc6",
19675 .klen = 16,
19676 .iv = "\xb8\x26\x97\xa8\x39\x8e\x94\x3f"
19677 "\xca\xcd\xff\x88\xba\x22\xbe\x47",
19678 .assoc = "\xc7\xef\x26\x10\x7d\x2c\x3f\xc6"
19679 "\xea\x03\x2c\xac\xb9\xeb\xef\xc9"
19680 "\x31\x6b\x08\x12\xfc\xd8\x37\x2d"
19681 "\xe0\x17\x3a\x2e\x83\x5c\x8f",
19682 .alen = 31,
19683 .ptext = "",
19684 .plen = 0,
19685 .ctext = "\xda\x44\x08\x8c\x2a\xa5\x07\x35"
19686 "\x0b\x54\x4e\x6d\xe3\xfd\xc4\x5f",
19687 .clen = 16,
19688 }, {
19689 .key = "\xe5\x81\x42\xdf\x05\x6a\x93\xd4"
19690 "\x2b\x70\x85\xf5\xb6\x7d\x50\xcc",
19691 .klen = 16,
19692 .iv = "\xf4\x4a\xd1\x47\x49\x09\x3d\x5b"
19693 "\x4b\xa7\xb1\x19\xb4\x46\x81\x4d",
19694 .assoc = "\x03\x14\x5f\xaf\x8d\xa8\xe7\xe2"
19695 "\x6b\xde\xde\x3e\xb3\x10\xb1\xcf"
19696 "\x5c\x2d\x14\x96\x01\x78\xb9\x47"
19697 "\xa1\x44\x19\x06\x5d\xbb\x2e\x2f",
19698 .alen = 32,
19699 .ptext = "",
19700 .plen = 0,
19701 .ctext = "\x1b\xb1\xf1\xa8\x9e\xc2\xb2\x88"
19702 "\x40\x7f\x7b\x19\x7a\x52\x8c\xf0",
19703 .clen = 16,
19704 }, {
19705 .key = "\x22\xa6\x7c\x7f\x15\xe6\x3c\xf0"
19706 "\xac\x4b\x37\x86\xb0\xa2\x13\xd2",
19707 .klen = 16,
19708 .iv = "\x31\x6f\x0b\xe6\x59\x85\xe6\x77"
19709 "\xcc\x81\x63\xab\xae\x6b\x43\x54",
19710 .assoc = "\x40",
19711 .alen = 1,
19712 .ptext = "\x4f",
19713 .plen = 1,
19714 .ctext = "\x6e\xc8\xfb\x15\x9d\x98\x49\xc9"
19715 "\xa0\x98\x09\x85\xbe\x56\x8e\x79"
19716 "\xf4",
19717 .clen = 17,
19718 }, {
19719 .key = "\x5e\xcb\xb6\x1e\x25\x62\xe4\x0c"
19720 "\x2d\x25\xe9\x18\xaa\xc6\xd5\xd8",
19721 .klen = 16,
19722 .iv = "\x6d\x94\x44\x86\x69\x00\x8f\x93"
19723 "\x4d\x5b\x15\x3c\xa8\x8f\x06\x5a",
19724 .assoc = "\x7c\x5d\xd3\xee\xad\x9f\x39\x1a"
19725 "\x6d\x92\x42\x61\xa7\x58\x37",
19726 .alen = 15,
19727 .ptext = "\x8b\x26\x61\x55\xf1\x3e\xe3\xa1"
19728 "\x8d\xc8\x6e\x85\xa5\x21\x67",
19729 .plen = 15,
19730 .ctext = "\x99\x2e\x84\x50\x64\x5c\xab\x29"
19731 "\x20\xba\xb9\x2f\x62\x3a\xce\x2a"
19732 "\x75\x25\x3b\xe3\x40\xe0\x1d\xfc"
19733 "\x20\x63\x0b\x49\x7e\x97\x08",
19734 .clen = 31,
19735 }, {
19736 .key = "\x9b\xef\xf0\xbd\x35\xdd\x8d\x28"
19737 "\xad\xff\x9b\xa9\xa4\xeb\x98\xdf",
19738 .klen = 16,
19739 .iv = "\xaa\xb8\x7e\x25\x79\x7c\x37\xaf"
19740 "\xce\x36\xc7\xce\xa2\xb4\xc9\x60",
19741 .assoc = "\xb9\x82\x0c\x8d\xbd\x1b\xe2\x36"
19742 "\xee\x6c\xf4\xf2\xa1\x7d\xf9\xe2",
19743 .alen = 16,
19744 .ptext = "\xc8\x4b\x9b\xf5\x01\xba\x8c\xbd"
19745 "\x0e\xa3\x21\x16\x9f\x46\x2a\x63",
19746 .plen = 16,
19747 .ctext = "\xd9\x8e\xfd\x50\x8f\x02\x9f\xee"
19748 "\x78\x08\x12\xec\x09\xaf\x53\x14"
19749 "\x90\x3e\x3d\x76\xad\x71\x21\x08"
19750 "\x77\xe5\x4b\x15\xc2\xe6\xbc\xdb",
19751 .clen = 32,
19752 }, {
19753 .key = "\xd7\x14\x29\x5d\x45\x59\x36\x44"
19754 "\x2e\xd9\x4d\x3b\x9e\x0f\x5b\xe5",
19755 .klen = 16,
19756 .iv = "\xe6\xdd\xb8\xc4\x89\xf8\xe0\xca"
19757 "\x4f\x10\x7a\x5f\x9c\xd8\x8b\x66",
19758 .assoc = "\xf5\xa6\x46\x2c\xce\x97\x8a\x51"
19759 "\x6f\x46\xa6\x83\x9b\xa1\xbc\xe8"
19760 "\x05",
19761 .alen = 17,
19762 .ptext = "\x05\x70\xd5\x94\x12\x36\x35\xd8"
19763 "\x8f\x7d\xd3\xa8\x99\x6a\xed\x69"
19764 "\xd0",
19765 .plen = 17,
19766 .ctext = "\xf3\xe7\x95\x86\xcf\x34\x95\x96"
19767 "\x17\xfe\x1b\xae\x1b\x31\xf2\x1a"
19768 "\xbd\xbc\xc9\x4e\x11\x29\x09\x5c"
19769 "\x05\xd3\xb4\x2e\x4a\x74\x59\x49"
19770 "\x7d",
19771 .clen = 33,
19772 }, {
19773 .key = "\x14\x39\x63\xfc\x56\xd5\xdf\x5f"
19774 "\xaf\xb3\xff\xcc\x98\x33\x1d\xeb",
19775 .klen = 16,
19776 .iv = "\x23\x02\xf1\x64\x9a\x73\x89\xe6"
19777 "\xd0\xea\x2c\xf1\x96\xfc\x4e\x6d",
19778 .assoc = "\x32\xcb\x80\xcc\xde\x12\x33\x6d"
19779 "\xf0\x20\x58\x15\x95\xc6\x7f\xee"
19780 "\x2f\xf9\x4e\x2c\x1b\x98\x43\xc7"
19781 "\x68\x28\x73\x40\x9f\x96\x4a",
19782 .alen = 31,
19783 .ptext = "\x41\x94\x0e\x33\x22\xb1\xdd\xf4"
19784 "\x10\x57\x85\x39\x93\x8f\xaf\x70"
19785 "\xfa\xa9\xd0\x4d\x5c\x40\x23\xcd"
19786 "\x98\x34\xab\x37\x56\xae\x32",
19787 .plen = 31,
19788 .ctext = "\x06\x96\xb2\xbf\x63\xf4\x1e\x24"
19789 "\x0d\x19\x15\x61\x65\x3b\x06\x26"
19790 "\x71\xe8\x7e\x16\xdb\x96\x01\x01"
19791 "\x52\xcd\x49\x5b\x07\x33\x4e\xe7"
19792 "\xaa\x91\xf5\xd5\xc6\xfe\x41\xb5"
19793 "\xed\x90\xce\xb9\xcd\xcc\xa1",
19794 .clen = 47,
19795 }, {
19796 .key = "\x50\x5d\x9d\x9b\x66\x50\x88\x7b"
19797 "\x30\x8e\xb1\x5e\x92\x58\xe0\xf1",
19798 .klen = 16,
19799 .iv = "\x5f\x27\x2b\x03\xaa\xef\x32\x02"
19800 "\x50\xc4\xde\x82\x90\x21\x11\x73",
19801 .assoc = "\x6e\xf0\xba\x6b\xee\x8e\xdc\x89"
19802 "\x71\xfb\x0a\xa6\x8f\xea\x41\xf4"
19803 "\x5a\xbb\x59\xb0\x20\x38\xc5\xe0"
19804 "\x29\x56\x52\x19\x79\xf5\xe9\x37",
19805 .alen = 32,
19806 .ptext = "\x7e\xb9\x48\xd3\x32\x2d\x86\x10"
19807 "\x91\x31\x37\xcb\x8d\xb3\x72\x76"
19808 "\x24\x6b\xdc\xd1\x61\xe0\xa5\xe7"
19809 "\x5a\x61\x8a\x0f\x30\x0d\xd1\xec",
19810 .plen = 32,
19811 .ctext = "\xf9\xd7\xee\x17\xfd\x24\xcd\xf1"
19812 "\xbc\x0f\x35\x97\x97\x0c\x4b\x18"
19813 "\xce\x58\xc8\x3b\xd4\x85\x93\x79"
19814 "\xcc\x9c\xea\xc1\x73\x13\x0b\x4c"
19815 "\xcc\x6f\x28\xf8\xa4\x4e\xb8\x56"
19816 "\x64\x4e\x47\xce\xb2\xb4\x92\xb4",
19817 .clen = 48,
19818 }, {
19819 .key = "\x8d\x82\xd6\x3b\x76\xcc\x30\x97"
19820 "\xb1\x68\x63\xef\x8c\x7c\xa3\xf7",
19821 .klen = 16,
19822 .iv = "\x9c\x4b\x65\xa2\xba\x6b\xdb\x1e"
19823 "\xd1\x9e\x90\x13\x8a\x45\xd3\x79",
19824 .assoc = "\xab\x14\xf3\x0a\xfe\x0a\x85\xa5"
19825 "\xf2\xd5\xbc\x38\x89\x0e\x04\xfb"
19826 "\x84\x7d\x65\x34\x25\xd8\x47\xfa"
19827 "\xeb\x83\x31\xf1\x54\x54\x89\x0d"
19828 "\x9d",
19829 .alen = 33,
19830 .ptext = "\xba\xde\x82\x72\x42\xa9\x2f\x2c"
19831 "\x12\x0b\xe9\x5c\x87\xd7\x35\x7c"
19832 "\x4f\x2e\xe8\x55\x66\x80\x27\x00"
19833 "\x1b\x8f\x68\xe7\x0a\x6c\x71\xc3"
19834 "\x21\x78\x55\x9d\x9c\x65\x7b\xcd"
19835 "\x0a\x34\x97\xff\x47\x37\xb0\x2a"
19836 "\x80\x0d\x19\x98\x33\xa9\x7a\xe3"
19837 "\x2e\x4c\xc6\xf3\x8c\x88\x42\x01"
19838 "\xbd",
19839 .plen = 65,
19840 .ctext = "\x58\xfa\x3a\x3d\xd9\x88\x63\xe8"
19841 "\xc5\x78\x50\x8b\x4a\xc9\xdf\x7f"
19842 "\x4b\xfa\xc8\x2e\x67\x43\xf3\x63"
19843 "\x42\x8e\x99\x5a\x9c\x0b\x84\x77"
19844 "\xbc\x46\x76\x48\x82\xc7\x57\x96"
19845 "\xe1\x65\xd1\xed\x1d\xdd\x80\x24"
19846 "\xa6\x4d\xa9\xf1\x53\x8b\x5e\x0e"
19847 "\x26\xb9\xcc\x37\xe5\x43\xe1\x5a"
19848 "\x8a\xd6\x8c\x5a\xe4\x95\xd1\x8d"
19849 "\xf7\x33\x64\xc1\xd3\xf2\xfc\x35"
19850 "\x01",
19851 .clen = 81,
19852 }, {
19853 .key = "\xc9\xa7\x10\xda\x86\x48\xd9\xb3"
19854 "\x32\x42\x15\x80\x85\xa1\x65\xfe",
19855 .klen = 16,
19856 .iv = "\xd8\x70\x9f\x42\xca\xe6\x83\x3a"
19857 "\x52\x79\x42\xa5\x84\x6a\x96\x7f",
19858 .assoc = "\xe8\x39\x2d\xaa\x0e\x85\x2d\xc1"
19859 "\x72\xaf\x6e\xc9\x82\x33\xc7\x01"
19860 "\xaf\x40\x70\xb8\x2a\x78\xc9\x14"
19861 "\xac\xb1\x10\xca\x2e\xb3\x28\xe4"
19862 "\xac\xfa\x58\x7f\xe5\x73\x09\x8c"
19863 "\x1d\x40\x87\x8c\xd9\x75\xc0\x55"
19864 "\xa2\xda\x07\xd1\xc2\xa9\xd1\xbb"
19865 "\x09\x4f\x77\x62\x88\x2d\xf2\x68"
19866 "\x54",
19867 .alen = 65,
19868 .ptext = "\xf7\x02\xbb\x11\x52\x24\xd8\x48"
19869 "\x93\xe6\x9b\xee\x81\xfc\xf7\x82"
19870 "\x79\xf0\xf3\xd9\x6c\x20\xa9\x1a"
19871 "\xdc\xbc\x47\xc0\xe4\xcb\x10\x99"
19872 "\x2f",
19873 .plen = 33,
19874 .ctext = "\x4c\xa9\xac\x71\xed\x10\xa6\x24"
19875 "\xb7\xa7\xdf\x8b\xf5\xc2\x41\xcb"
19876 "\x05\xc9\xd6\x97\xb6\x10\x7f\x17"
19877 "\xc2\xc0\x93\xcf\xe0\x94\xfd\x99"
19878 "\xf2\x62\x25\x28\x01\x23\x6f\x8b"
19879 "\x04\x52\xbc\xb0\x3e\x66\x52\x90"
19880 "\x9f",
19881 .clen = 49,
19882 }, {
19883 .key = "\x06\xcc\x4a\x79\x96\xc3\x82\xcf"
19884 "\xb3\x1c\xc7\x12\x7f\xc5\x28\x04",
19885 .klen = 16,
19886 .iv = "\x15\x95\xd8\xe1\xda\x62\x2c\x56"
19887 "\xd3\x53\xf4\x36\x7e\x8e\x59\x85",
19888 .assoc = "\x24\x5e\x67\x49\x1e\x01\xd6\xdd"
19889 "\xf3\x89\x20\x5b\x7c\x57\x89\x07",
19890 .alen = 16,
19891 .ptext = "\x33\x27\xf5\xb1\x62\xa0\x80\x63"
19892 "\x14\xc0\x4d\x7f\x7b\x20\xba\x89",
19893 .plen = 16,
19894 .ctext = "\x6d\xed\x04\x7a\x2f\x0c\x30\xa5"
19895 "\x96\xe6\x97\xe4\x10\xeb\x40\x95"
19896 "\xc5\x9a\xdf\x31\xd5\xa5\xa6\xec"
19897 "\x05\xa8\x31\x50\x11\x19\x44",
19898 .clen = 31,
19899 }, {
19900 .key = "\x42\xf0\x84\x19\xa6\x3f\x2b\xea"
19901 "\x34\xf6\x79\xa3\x79\xe9\xeb\x0a",
19902 .klen = 16,
19903 .iv = "\x51\xb9\x12\x80\xea\xde\xd5\x71"
19904 "\x54\x2d\xa6\xc8\x78\xb2\x1b\x8c",
19905 .assoc = "\x61\x83\xa0\xe8\x2e\x7d\x7f\xf8"
19906 "\x74\x63\xd2\xec\x76\x7c\x4c\x0d",
19907 .alen = 16,
19908 .ptext = "\x70\x4c\x2f\x50\x72\x1c\x29\x7f"
19909 "\x95\x9a\xff\x10\x75\x45\x7d\x8f",
19910 .plen = 16,
19911 .ctext = "\x30\x95\x7d\xea\xdc\x62\xc0\x88"
19912 "\xa1\xe3\x8d\x8c\xac\x04\x10\xa7"
19913 "\xfa\xfa\x07\xbd\xa0\xf0\x36\xeb"
19914 "\x21\x93\x2e\x31\x84\x83",
19915 .clen = 30,
19916 }, {
19917 .key = "\x7f\x15\xbd\xb8\xb6\xba\xd3\x06"
19918 "\xb5\xd1\x2b\x35\x73\x0e\xad\x10",
19919 .klen = 16,
19920 .iv = "\x8e\xde\x4c\x20\xfa\x59\x7e\x8d"
19921 "\xd5\x07\x58\x59\x72\xd7\xde\x92",
19922 .assoc = "\x9d\xa7\xda\x88\x3e\xf8\x28\x14"
19923 "\xf5\x3e\x85\x7d\x70\xa0\x0f\x13",
19924 .alen = 16,
19925 .ptext = "\xac\x70\x69\xef\x82\x97\xd2\x9b"
19926 "\x15\x74\xb1\xa2\x6f\x69\x3f\x95",
19927 .plen = 16,
19928 .ctext = "\x93\xcd\xee\xd4\xcb\x9d\x8d\x16"
19929 "\x63\x0d\x43\xd5\x49\xca\xa8\x85"
19930 "\x49\xc0\xae\x13\xbc\x26\x1d\x4b",
19931 .clen = 24,
19932 },
19933};
19934
19935/*
19936 * AEGIS-256 test vectors - generated via reference implementation from
19937 * SUPERCOP (https://bench.cr.yp.to/supercop.html):
19938 *
19939 * https://bench.cr.yp.to/supercop/supercop-20170228.tar.xz
19940 * (see crypto_aead/aegis256/)
19941 */
19942static const struct aead_testvec aegis256_tv_template[] = {
19943 {
19944 .key = "\x0f\xc9\x8e\x67\x44\x9e\xaa\x86"
19945 "\x20\x36\x2c\x24\xfe\xc9\x30\x81"
19946 "\xca\xb0\x82\x21\x41\xa8\xe0\x06"
19947 "\x30\x0b\x37\xf6\xb6\x17\xe7\xb5",
19948 .klen = 32,
19949 .iv = "\x1e\x92\x1c\xcf\x88\x3d\x54\x0d"
19950 "\x40\x6d\x59\x48\xfc\x92\x61\x03"
19951 "\x95\x61\x05\x42\x82\x50\xc0\x0c"
19952 "\x60\x16\x6f\xec\x6d\x2f\xcf\x6b",
19953 .assoc = "",
19954 .alen = 0,
19955 .ptext = "",
19956 .plen = 0,
19957 .ctext = "\xd5\x65\x3a\xa9\x03\x51\xd7\xaa"
19958 "\xfa\x4b\xd8\xa2\x41\x9b\xc1\xb2",
19959 .clen = 16,
19960 }, {
19961 .key = "\x4b\xed\xc8\x07\x54\x1a\x52\xa2"
19962 "\xa1\x10\xde\xb5\xf8\xed\xf3\x87"
19963 "\xf4\x72\x8e\xa5\x46\x48\x62\x20"
19964 "\xf1\x38\x16\xce\x90\x76\x87\x8c",
19965 .klen = 32,
19966 .iv = "\x5a\xb7\x56\x6e\x98\xb9\xfd\x29"
19967 "\xc1\x47\x0b\xda\xf6\xb6\x23\x09"
19968 "\xbf\x23\x11\xc6\x87\xf0\x42\x26"
19969 "\x22\x44\x4e\xc4\x47\x8e\x6e\x41",
19970 .assoc = "",
19971 .alen = 0,
19972 .ptext = "\x79",
19973 .plen = 1,
19974 .ctext = "\x84\xa2\x8f\xad\xdb\x8d\x2c\x16"
19975 "\x9e\x89\xd9\x06\xa6\xa8\x14\x29"
19976 "\x8b",
19977 .clen = 17,
19978 }, {
19979 .key = "\x88\x12\x01\xa6\x64\x96\xfb\xbe"
19980 "\x22\xea\x90\x47\xf2\x11\xb5\x8e"
19981 "\x1f\x35\x9a\x29\x4b\xe8\xe4\x39"
19982 "\xb3\x66\xf5\xa6\x6a\xd5\x26\x62",
19983 .klen = 32,
19984 .iv = "\x97\xdb\x90\x0e\xa8\x35\xa5\x45"
19985 "\x42\x21\xbd\x6b\xf0\xda\xe6\x0f"
19986 "\xe9\xe5\x1d\x4a\x8c\x90\xc4\x40"
19987 "\xe3\x71\x2d\x9c\x21\xed\x0e\x18",
19988 .assoc = "",
19989 .alen = 0,
19990 .ptext = "\xb5\x6e\xad\xdd\x30\x72\xfa\x53"
19991 "\x82\x8e\x16\xb4\xed\x6d\x47",
19992 .plen = 15,
19993 .ctext = "\x09\x94\x1f\xa6\x13\xc3\x74\x75"
19994 "\x17\xad\x8a\x0e\xd8\x66\x9a\x28"
19995 "\xd7\x30\x66\x09\x2a\xdc\xfa\x2a"
19996 "\x9f\x3b\xd7\xdd\x66\xd1\x2b",
19997 .clen = 31,
19998 }, {
19999 .key = "\xc4\x37\x3b\x45\x74\x11\xa4\xda"
20000 "\xa2\xc5\x42\xd8\xec\x36\x78\x94"
20001 "\x49\xf7\xa5\xad\x50\x88\x66\x53"
20002 "\x74\x94\xd4\x7f\x44\x34\xc5\x39",
20003 .klen = 32,
20004 .iv = "\xd3\x00\xc9\xad\xb8\xb0\x4e\x61"
20005 "\xc3\xfb\x6f\xfd\xea\xff\xa9\x15"
20006 "\x14\xa8\x28\xce\x92\x30\x46\x59"
20007 "\xa4\x9f\x0b\x75\xfb\x4c\xad\xee",
20008 .assoc = "",
20009 .alen = 0,
20010 .ptext = "\xf2\x92\xe6\x7d\x40\xee\xa3\x6f"
20011 "\x03\x68\xc8\x45\xe7\x91\x0a\x18",
20012 .plen = 16,
20013 .ctext = "\x8a\x46\xa2\x22\x8c\x03\xab\x6f"
20014 "\x54\x63\x4e\x7f\xc9\x8e\xfa\x70"
20015 "\x7b\xe5\x8d\x78\xbc\xe9\xb6\xa1"
20016 "\x29\x17\xc8\x3b\x52\xa4\x98\x72",
20017 .clen = 32,
20018 }, {
20019 .key = "\x01\x5c\x75\xe5\x84\x8d\x4d\xf6"
20020 "\x23\x9f\xf4\x6a\xe6\x5a\x3b\x9a"
20021 "\x74\xb9\xb1\x32\x55\x28\xe8\x6d"
20022 "\x35\xc1\xb3\x57\x1f\x93\x64\x0f",
20023 .klen = 32,
20024 .iv = "\x10\x25\x03\x4c\xc8\x2c\xf7\x7d"
20025 "\x44\xd5\x21\x8e\xe4\x23\x6b\x1c"
20026 "\x3e\x6a\x34\x53\x97\xd0\xc8\x73"
20027 "\x66\xcd\xea\x4d\xd5\xab\x4c\xc5",
20028 .assoc = "",
20029 .alen = 0,
20030 .ptext = "\x2e\xb7\x20\x1c\x50\x6a\x4b\x8b"
20031 "\x84\x42\x7a\xd7\xe1\xb5\xcd\x1f"
20032 "\xd3",
20033 .plen = 17,
20034 .ctext = "\x71\x6b\x37\x0b\x02\x61\x28\x12"
20035 "\x83\xab\x66\x90\x84\xc7\xd1\xc5"
20036 "\xb2\x7a\xb4\x7b\xb4\xfe\x02\xb2"
20037 "\xc0\x00\x39\x13\xb5\x51\x68\x44"
20038 "\xad",
20039 .clen = 33,
20040 }, {
20041 .key = "\x3d\x80\xae\x84\x94\x09\xf6\x12"
20042 "\xa4\x79\xa6\xfb\xe0\x7f\xfd\xa0"
20043 "\x9e\x7c\xbc\xb6\x5b\xc8\x6a\x86"
20044 "\xf7\xef\x91\x30\xf9\xf2\x04\xe6",
20045 .klen = 32,
20046 .iv = "\x4c\x49\x3d\xec\xd8\xa8\xa0\x98"
20047 "\xc5\xb0\xd3\x1f\xde\x48\x2e\x22"
20048 "\x69\x2c\x3f\xd7\x9c\x70\x4a\x8d"
20049 "\x27\xfa\xc9\x26\xaf\x0a\xeb\x9c",
20050 .assoc = "",
20051 .alen = 0,
20052 .ptext = "\x6b\xdc\x5a\xbb\x60\xe5\xf4\xa6"
20053 "\x05\x1d\x2c\x68\xdb\xda\x8f\x25"
20054 "\xfe\x8d\x45\x19\x1e\xc0\x0b\x99"
20055 "\x88\x11\x39\x12\x1c\x3a\xbb",
20056 .plen = 31,
20057 .ctext = "\xaf\xa4\x34\x0d\x59\xe6\x1c\x2f"
20058 "\x06\x3b\x52\x18\x49\x75\x1b\xf0"
20059 "\x53\x09\x72\x7b\x45\x79\xe0\xbe"
20060 "\x89\x85\x23\x15\xb8\x79\x07\x4c"
20061 "\x53\x7a\x15\x37\x0a\xee\xb7\xfb"
20062 "\xc4\x1f\x12\x27\xcf\x77\x90",
20063 .clen = 47,
20064 }, {
20065 .key = "\x7a\xa5\xe8\x23\xa4\x84\x9e\x2d"
20066 "\x25\x53\x58\x8c\xda\xa3\xc0\xa6"
20067 "\xc8\x3e\xc8\x3a\x60\x68\xec\xa0"
20068 "\xb8\x1c\x70\x08\xd3\x51\xa3\xbd",
20069 .klen = 32,
20070 .iv = "\x89\x6e\x77\x8b\xe8\x23\x49\xb4"
20071 "\x45\x8a\x85\xb1\xd8\x6c\xf1\x28"
20072 "\x93\xef\x4b\x5b\xa1\x10\xcc\xa6"
20073 "\xe8\x28\xa8\xfe\x89\x69\x8b\x72",
20074 .assoc = "",
20075 .alen = 0,
20076 .ptext = "\xa7\x00\x93\x5b\x70\x61\x9d\xc2"
20077 "\x86\xf7\xde\xfa\xd5\xfe\x52\x2b"
20078 "\x28\x50\x51\x9d\x24\x60\x8d\xb3"
20079 "\x49\x3e\x17\xea\xf6\x99\x5a\xdd",
20080 .plen = 32,
20081 .ctext = "\xe2\xc9\x0b\x33\x31\x02\xb3\xb4"
20082 "\x33\xfe\xeb\xa8\xb7\x9b\xb2\xd7"
20083 "\xeb\x0f\x05\x2b\xba\xb3\xca\xef"
20084 "\xf6\xd1\xb6\xc0\xb9\x9b\x85\xc5"
20085 "\xbf\x7a\x3e\xcc\x31\x76\x09\x80"
20086 "\x32\x5d\xbb\xe8\x38\x0e\x77\xd3",
20087 .clen = 48,
20088 }, {
20089 .key = "\xb6\xca\x22\xc3\xb4\x00\x47\x49"
20090 "\xa6\x2d\x0a\x1e\xd4\xc7\x83\xad"
20091 "\xf3\x00\xd4\xbf\x65\x08\x6e\xb9"
20092 "\x7a\x4a\x4f\xe0\xad\xb0\x42\x93",
20093 .klen = 32,
20094 .iv = "\xc5\x93\xb0\x2a\xf8\x9f\xf1\xd0"
20095 "\xc6\x64\x37\x42\xd2\x90\xb3\x2e"
20096 "\xbd\xb1\x57\xe0\xa6\xb0\x4e\xc0"
20097 "\xaa\x55\x87\xd6\x63\xc8\x2a\x49",
20098 .assoc = "\xd5",
20099 .alen = 1,
20100 .ptext = "",
20101 .plen = 0,
20102 .ctext = "\x96\x43\x30\xca\x6c\x4f\xd7\x12"
20103 "\xba\xd9\xb3\x18\x86\xdf\xc3\x52",
20104 .clen = 16,
20105 }, {
20106 .key = "\xf3\xee\x5c\x62\xc4\x7c\xf0\x65"
20107 "\x27\x08\xbd\xaf\xce\xec\x45\xb3"
20108 "\x1d\xc3\xdf\x43\x6a\xa8\xf0\xd3"
20109 "\x3b\x77\x2e\xb9\x87\x0f\xe1\x6a",
20110 .klen = 32,
20111 .iv = "\x02\xb8\xea\xca\x09\x1b\x9a\xec"
20112 "\x47\x3e\xe9\xd4\xcc\xb5\x76\x34"
20113 "\xe8\x73\x62\x64\xab\x50\xd0\xda"
20114 "\x6b\x83\x66\xaf\x3e\x27\xc9\x1f",
20115 .assoc = "\x11\x81\x78\x32\x4d\xb9\x44\x73"
20116 "\x68\x75\x16\xf8\xcb\x7e\xa7",
20117 .alen = 15,
20118 .ptext = "",
20119 .plen = 0,
20120 .ctext = "\x2f\xab\x45\xe2\xa7\x46\xc5\x83"
20121 "\x11\x9f\xb0\x74\xee\xc7\x03\xdd",
20122 .clen = 16,
20123 }, {
20124 .key = "\x2f\x13\x95\x01\xd5\xf7\x99\x81"
20125 "\xa8\xe2\x6f\x41\xc8\x10\x08\xb9"
20126 "\x47\x85\xeb\xc7\x6f\x48\x72\xed"
20127 "\xfc\xa5\x0d\x91\x61\x6e\x81\x40",
20128 .klen = 32,
20129 .iv = "\x3f\xdc\x24\x69\x19\x96\x43\x08"
20130 "\xc8\x18\x9b\x65\xc6\xd9\x39\x3b"
20131 "\x12\x35\x6e\xe8\xb0\xf0\x52\xf3"
20132 "\x2d\xb0\x45\x87\x18\x86\x68\xf6",
20133 .assoc = "\x4e\xa5\xb2\xd1\x5d\x35\xed\x8f"
20134 "\xe8\x4f\xc8\x89\xc5\xa2\x69\xbc",
20135 .alen = 16,
20136 .ptext = "",
20137 .plen = 0,
20138 .ctext = "\x16\x44\x73\x33\x5d\xf2\xb9\x04"
20139 "\x6b\x79\x98\xef\xdb\xd5\xc5\xf1",
20140 .clen = 16,
20141 }, {
20142 .key = "\x6c\x38\xcf\xa1\xe5\x73\x41\x9d"
20143 "\x29\xbc\x21\xd2\xc2\x35\xcb\xbf"
20144 "\x72\x47\xf6\x4b\x74\xe8\xf4\x06"
20145 "\xbe\xd3\xec\x6a\x3b\xcd\x20\x17",
20146 .klen = 32,
20147 .iv = "\x7b\x01\x5d\x08\x29\x12\xec\x24"
20148 "\x49\xf3\x4d\xf7\xc0\xfe\xfb\x41"
20149 "\x3c\xf8\x79\x6c\xb6\x90\xd4\x0d"
20150 "\xee\xde\x23\x60\xf2\xe5\x08\xcc",
20151 .assoc = "\x8a\xca\xec\x70\x6d\xb1\x96\xab"
20152 "\x69\x29\x7a\x1b\xbf\xc7\x2c\xc2"
20153 "\x07",
20154 .alen = 17,
20155 .ptext = "",
20156 .plen = 0,
20157 .ctext = "\xa4\x9b\xb8\x47\xc0\xed\x7a\x45"
20158 "\x98\x54\x8c\xed\x3d\x17\xf0\xdd",
20159 .clen = 16,
20160 }, {
20161 .key = "\xa8\x5c\x09\x40\xf5\xef\xea\xb8"
20162 "\xaa\x96\xd3\x64\xbc\x59\x8d\xc6"
20163 "\x9c\x0a\x02\xd0\x79\x88\x76\x20"
20164 "\x7f\x00\xca\x42\x15\x2c\xbf\xed",
20165 .klen = 32,
20166 .iv = "\xb8\x26\x97\xa8\x39\x8e\x94\x3f"
20167 "\xca\xcd\xff\x88\xba\x22\xbe\x47"
20168 "\x67\xba\x85\xf1\xbb\x30\x56\x26"
20169 "\xaf\x0b\x02\x38\xcc\x44\xa7\xa3",
20170 .assoc = "\xc7\xef\x26\x10\x7d\x2c\x3f\xc6"
20171 "\xea\x03\x2c\xac\xb9\xeb\xef\xc9"
20172 "\x31\x6b\x08\x12\xfc\xd8\x37\x2d"
20173 "\xe0\x17\x3a\x2e\x83\x5c\x8f",
20174 .alen = 31,
20175 .ptext = "",
20176 .plen = 0,
20177 .ctext = "\x20\x24\xe2\x33\x5c\x60\xc9\xf0"
20178 "\xa4\x96\x2f\x0d\x53\xc2\xf8\xfc",
20179 .clen = 16,
20180 }, {
20181 .key = "\xe5\x81\x42\xdf\x05\x6a\x93\xd4"
20182 "\x2b\x70\x85\xf5\xb6\x7d\x50\xcc"
20183 "\xc6\xcc\x0e\x54\x7f\x28\xf8\x3a"
20184 "\x40\x2e\xa9\x1a\xf0\x8b\x5e\xc4",
20185 .klen = 32,
20186 .iv = "\xf4\x4a\xd1\x47\x49\x09\x3d\x5b"
20187 "\x4b\xa7\xb1\x19\xb4\x46\x81\x4d"
20188 "\x91\x7c\x91\x75\xc0\xd0\xd8\x40"
20189 "\x71\x39\xe1\x10\xa6\xa3\x46\x7a",
20190 .assoc = "\x03\x14\x5f\xaf\x8d\xa8\xe7\xe2"
20191 "\x6b\xde\xde\x3e\xb3\x10\xb1\xcf"
20192 "\x5c\x2d\x14\x96\x01\x78\xb9\x47"
20193 "\xa1\x44\x19\x06\x5d\xbb\x2e\x2f",
20194 .alen = 32,
20195 .ptext = "",
20196 .plen = 0,
20197 .ctext = "\x6f\x4a\xb9\xe0\xff\x51\xa3\xf1"
20198 "\xd2\x64\x3e\x66\x6a\xb2\x03\xc0",
20199 .clen = 16,
20200 }, {
20201 .key = "\x22\xa6\x7c\x7f\x15\xe6\x3c\xf0"
20202 "\xac\x4b\x37\x86\xb0\xa2\x13\xd2"
20203 "\xf1\x8e\x19\xd8\x84\xc8\x7a\x53"
20204 "\x02\x5b\x88\xf3\xca\xea\xfe\x9b",
20205 .klen = 32,
20206 .iv = "\x31\x6f\x0b\xe6\x59\x85\xe6\x77"
20207 "\xcc\x81\x63\xab\xae\x6b\x43\x54"
20208 "\xbb\x3f\x9c\xf9\xc5\x70\x5a\x5a"
20209 "\x32\x67\xc0\xe9\x80\x02\xe5\x50",
20210 .assoc = "\x40",
20211 .alen = 1,
20212 .ptext = "\x4f",
20213 .plen = 1,
20214 .ctext = "\x2c\xfb\xad\x7e\xbe\xa0\x9a\x5b"
20215 "\x7a\x3f\x81\xf7\xfc\x1b\x79\x83"
20216 "\xc7",
20217 .clen = 17,
20218 }, {
20219 .key = "\x5e\xcb\xb6\x1e\x25\x62\xe4\x0c"
20220 "\x2d\x25\xe9\x18\xaa\xc6\xd5\xd8"
20221 "\x1b\x50\x25\x5d\x89\x68\xfc\x6d"
20222 "\xc3\x89\x67\xcb\xa4\x49\x9d\x71",
20223 .klen = 32,
20224 .iv = "\x6d\x94\x44\x86\x69\x00\x8f\x93"
20225 "\x4d\x5b\x15\x3c\xa8\x8f\x06\x5a"
20226 "\xe6\x01\xa8\x7e\xca\x10\xdc\x73"
20227 "\xf4\x94\x9f\xc1\x5a\x61\x85\x27",
20228 .assoc = "\x7c\x5d\xd3\xee\xad\x9f\x39\x1a"
20229 "\x6d\x92\x42\x61\xa7\x58\x37",
20230 .alen = 15,
20231 .ptext = "\x8b\x26\x61\x55\xf1\x3e\xe3\xa1"
20232 "\x8d\xc8\x6e\x85\xa5\x21\x67",
20233 .plen = 15,
20234 .ctext = "\x1f\x7f\xca\x3c\x2b\xe7\x27\xba"
20235 "\x7e\x98\x83\x02\x34\x23\xf7\x94"
20236 "\xde\x35\xe6\x1d\x14\x18\xe5\x38"
20237 "\x14\x80\x6a\xa7\x1b\xae\x1d",
20238 .clen = 31,
20239 }, {
20240 .key = "\x9b\xef\xf0\xbd\x35\xdd\x8d\x28"
20241 "\xad\xff\x9b\xa9\xa4\xeb\x98\xdf"
20242 "\x46\x13\x31\xe1\x8e\x08\x7e\x87"
20243 "\x85\xb6\x46\xa3\x7e\xa8\x3c\x48",
20244 .klen = 32,
20245 .iv = "\xaa\xb8\x7e\x25\x79\x7c\x37\xaf"
20246 "\xce\x36\xc7\xce\xa2\xb4\xc9\x60"
20247 "\x10\xc3\xb3\x02\xcf\xb0\x5e\x8d"
20248 "\xb5\xc2\x7e\x9a\x35\xc0\x24\xfd",
20249 .assoc = "\xb9\x82\x0c\x8d\xbd\x1b\xe2\x36"
20250 "\xee\x6c\xf4\xf2\xa1\x7d\xf9\xe2",
20251 .alen = 16,
20252 .ptext = "\xc8\x4b\x9b\xf5\x01\xba\x8c\xbd"
20253 "\x0e\xa3\x21\x16\x9f\x46\x2a\x63",
20254 .plen = 16,
20255 .ctext = "\x05\x86\x9e\xd7\x2b\xa3\x97\x01"
20256 "\xbe\x28\x98\x10\x6f\xe9\x61\x32"
20257 "\x96\xbb\xb1\x2e\x8f\x0c\x44\xb9"
20258 "\x46\x2d\x55\xe3\x42\x67\xf2\xaf",
20259 .clen = 32,
20260 }, {
20261 .key = "\xd7\x14\x29\x5d\x45\x59\x36\x44"
20262 "\x2e\xd9\x4d\x3b\x9e\x0f\x5b\xe5"
20263 "\x70\xd5\x3c\x65\x93\xa8\x00\xa0"
20264 "\x46\xe4\x25\x7c\x58\x08\xdb\x1e",
20265 .klen = 32,
20266 .iv = "\xe6\xdd\xb8\xc4\x89\xf8\xe0\xca"
20267 "\x4f\x10\x7a\x5f\x9c\xd8\x8b\x66"
20268 "\x3b\x86\xbf\x86\xd4\x50\xe0\xa7"
20269 "\x76\xef\x5c\x72\x0f\x1f\xc3\xd4",
20270 .assoc = "\xf5\xa6\x46\x2c\xce\x97\x8a\x51"
20271 "\x6f\x46\xa6\x83\x9b\xa1\xbc\xe8"
20272 "\x05",
20273 .alen = 17,
20274 .ptext = "\x05\x70\xd5\x94\x12\x36\x35\xd8"
20275 "\x8f\x7d\xd3\xa8\x99\x6a\xed\x69"
20276 "\xd0",
20277 .plen = 17,
20278 .ctext = "\x9c\xe0\x06\x7b\x86\xcf\x2e\xd8"
20279 "\x45\x65\x1b\x72\x9b\xaa\xa3\x1e"
20280 "\x87\x9d\x26\xdf\xff\x81\x11\xd2"
20281 "\x47\x41\xb9\x24\xc1\x8a\xa3\x8b"
20282 "\x55",
20283 .clen = 33,
20284 }, {
20285 .key = "\x14\x39\x63\xfc\x56\xd5\xdf\x5f"
20286 "\xaf\xb3\xff\xcc\x98\x33\x1d\xeb"
20287 "\x9a\x97\x48\xe9\x98\x48\x82\xba"
20288 "\x07\x11\x04\x54\x32\x67\x7b\xf5",
20289 .klen = 32,
20290 .iv = "\x23\x02\xf1\x64\x9a\x73\x89\xe6"
20291 "\xd0\xea\x2c\xf1\x96\xfc\x4e\x6d"
20292 "\x65\x48\xcb\x0a\xda\xf0\x62\xc0"
20293 "\x38\x1d\x3b\x4a\xe9\x7e\x62\xaa",
20294 .assoc = "\x32\xcb\x80\xcc\xde\x12\x33\x6d"
20295 "\xf0\x20\x58\x15\x95\xc6\x7f\xee"
20296 "\x2f\xf9\x4e\x2c\x1b\x98\x43\xc7"
20297 "\x68\x28\x73\x40\x9f\x96\x4a",
20298 .alen = 31,
20299 .ptext = "\x41\x94\x0e\x33\x22\xb1\xdd\xf4"
20300 "\x10\x57\x85\x39\x93\x8f\xaf\x70"
20301 "\xfa\xa9\xd0\x4d\x5c\x40\x23\xcd"
20302 "\x98\x34\xab\x37\x56\xae\x32",
20303 .plen = 31,
20304 .ctext = "\xa0\xc8\xde\x83\x0d\xc3\x4e\xd5"
20305 "\x69\x7f\x7a\xdd\x8c\x46\xda\xba"
20306 "\x0a\x5c\x0e\x7f\xac\xee\x02\xd2"
20307 "\xe5\x4b\x0a\xba\xb8\xa4\x7b\x66"
20308 "\xde\xae\xdb\xc2\xc0\x0b\xf7\x2b"
20309 "\xdf\xb8\xea\xd8\xa9\x38\xed",
20310 .clen = 47,
20311 }, {
20312 .key = "\x50\x5d\x9d\x9b\x66\x50\x88\x7b"
20313 "\x30\x8e\xb1\x5e\x92\x58\xe0\xf1"
20314 "\xc5\x5a\x53\x6e\x9d\xe8\x04\xd4"
20315 "\xc9\x3f\xe2\x2d\x0c\xc6\x1a\xcb",
20316 .klen = 32,
20317 .iv = "\x5f\x27\x2b\x03\xaa\xef\x32\x02"
20318 "\x50\xc4\xde\x82\x90\x21\x11\x73"
20319 "\x8f\x0a\xd6\x8f\xdf\x90\xe4\xda"
20320 "\xf9\x4a\x1a\x23\xc3\xdd\x02\x81",
20321 .assoc = "\x6e\xf0\xba\x6b\xee\x8e\xdc\x89"
20322 "\x71\xfb\x0a\xa6\x8f\xea\x41\xf4"
20323 "\x5a\xbb\x59\xb0\x20\x38\xc5\xe0"
20324 "\x29\x56\x52\x19\x79\xf5\xe9\x37",
20325 .alen = 32,
20326 .ptext = "\x7e\xb9\x48\xd3\x32\x2d\x86\x10"
20327 "\x91\x31\x37\xcb\x8d\xb3\x72\x76"
20328 "\x24\x6b\xdc\xd1\x61\xe0\xa5\xe7"
20329 "\x5a\x61\x8a\x0f\x30\x0d\xd1\xec",
20330 .plen = 32,
20331 .ctext = "\xd3\x68\x14\x70\x3c\x01\x43\x86"
20332 "\x02\xab\xbe\x75\xaa\xe7\xf5\x53"
20333 "\x5c\x05\xbd\x9b\x19\xbb\x2a\x61"
20334 "\x8f\x69\x05\x75\x8e\xca\x60\x0c"
20335 "\x5b\xa2\x48\x61\x32\x74\x11\x2b"
20336 "\xf6\xcf\x06\x78\x6f\x78\x1a\x4a",
20337 .clen = 48,
20338 }, {
20339 .key = "\x8d\x82\xd6\x3b\x76\xcc\x30\x97"
20340 "\xb1\x68\x63\xef\x8c\x7c\xa3\xf7"
20341 "\xef\x1c\x5f\xf2\xa3\x88\x86\xed"
20342 "\x8a\x6d\xc1\x05\xe7\x25\xb9\xa2",
20343 .klen = 32,
20344 .iv = "\x9c\x4b\x65\xa2\xba\x6b\xdb\x1e"
20345 "\xd1\x9e\x90\x13\x8a\x45\xd3\x79"
20346 "\xba\xcd\xe2\x13\xe4\x30\x66\xf4"
20347 "\xba\x78\xf9\xfb\x9d\x3c\xa1\x58",
20348 .assoc = "\xab\x14\xf3\x0a\xfe\x0a\x85\xa5"
20349 "\xf2\xd5\xbc\x38\x89\x0e\x04\xfb"
20350 "\x84\x7d\x65\x34\x25\xd8\x47\xfa"
20351 "\xeb\x83\x31\xf1\x54\x54\x89\x0d"
20352 "\x9d",
20353 .alen = 33,
20354 .ptext = "\xba\xde\x82\x72\x42\xa9\x2f\x2c"
20355 "\x12\x0b\xe9\x5c\x87\xd7\x35\x7c"
20356 "\x4f\x2e\xe8\x55\x66\x80\x27\x00"
20357 "\x1b\x8f\x68\xe7\x0a\x6c\x71\xc3"
20358 "\x21\x78\x55\x9d\x9c\x65\x7b\xcd"
20359 "\x0a\x34\x97\xff\x47\x37\xb0\x2a"
20360 "\x80\x0d\x19\x98\x33\xa9\x7a\xe3"
20361 "\x2e\x4c\xc6\xf3\x8c\x88\x42\x01"
20362 "\xbd",
20363 .plen = 65,
20364 .ctext = "\x07\x0a\x35\xb0\x82\x03\x5a\xd2"
20365 "\x15\x3a\x6c\x72\x83\x9b\xb1\x75"
20366 "\xea\xf2\xfc\xff\xc6\xf1\x13\xa4"
20367 "\x1a\x93\x33\x79\x97\x82\x81\xc0"
20368 "\x96\xc2\x00\xab\x39\xae\xa1\x62"
20369 "\x53\xa3\x86\xc9\x07\x8c\xaf\x22"
20370 "\x47\x31\x29\xca\x4a\x95\xf5\xd5"
20371 "\x20\x63\x5a\x54\x80\x2c\x4a\x63"
20372 "\xfb\x18\x73\x31\x4f\x08\x21\x5d"
20373 "\x20\xe9\xc3\x7e\xea\x25\x77\x3a"
20374 "\x65",
20375 .clen = 81,
20376 }, {
20377 .key = "\xc9\xa7\x10\xda\x86\x48\xd9\xb3"
20378 "\x32\x42\x15\x80\x85\xa1\x65\xfe"
20379 "\x19\xde\x6b\x76\xa8\x28\x08\x07"
20380 "\x4b\x9a\xa0\xdd\xc1\x84\x58\x79",
20381 .klen = 32,
20382 .iv = "\xd8\x70\x9f\x42\xca\xe6\x83\x3a"
20383 "\x52\x79\x42\xa5\x84\x6a\x96\x7f"
20384 "\xe4\x8f\xed\x97\xe9\xd0\xe8\x0d"
20385 "\x7c\xa6\xd8\xd4\x77\x9b\x40\x2e",
20386 .assoc = "\xe8\x39\x2d\xaa\x0e\x85\x2d\xc1"
20387 "\x72\xaf\x6e\xc9\x82\x33\xc7\x01"
20388 "\xaf\x40\x70\xb8\x2a\x78\xc9\x14"
20389 "\xac\xb1\x10\xca\x2e\xb3\x28\xe4"
20390 "\xac\xfa\x58\x7f\xe5\x73\x09\x8c"
20391 "\x1d\x40\x87\x8c\xd9\x75\xc0\x55"
20392 "\xa2\xda\x07\xd1\xc2\xa9\xd1\xbb"
20393 "\x09\x4f\x77\x62\x88\x2d\xf2\x68"
20394 "\x54",
20395 .alen = 65,
20396 .ptext = "\xf7\x02\xbb\x11\x52\x24\xd8\x48"
20397 "\x93\xe6\x9b\xee\x81\xfc\xf7\x82"
20398 "\x79\xf0\xf3\xd9\x6c\x20\xa9\x1a"
20399 "\xdc\xbc\x47\xc0\xe4\xcb\x10\x99"
20400 "\x2f",
20401 .plen = 33,
20402 .ctext = "\x33\xc1\xda\xfa\x15\x21\x07\x8e"
20403 "\x93\x68\xea\x64\x7b\x3d\x4b\x6b"
20404 "\x71\x5e\x5e\x6b\x92\xaa\x65\xc2"
20405 "\x7a\x2a\xc1\xa9\x0a\xa1\x24\x81"
20406 "\x26\x3a\x5a\x09\xe8\xce\x73\x72"
20407 "\xde\x7b\x58\x9e\x85\xb9\xa4\x28"
20408 "\xda",
20409 .clen = 49,
20410 }, {
20411 .key = "\x06\xcc\x4a\x79\x96\xc3\x82\xcf"
20412 "\xb3\x1c\xc7\x12\x7f\xc5\x28\x04"
20413 "\x44\xa1\x76\xfb\xad\xc8\x8a\x21"
20414 "\x0d\xc8\x7f\xb6\x9b\xe3\xf8\x4f",
20415 .klen = 32,
20416 .iv = "\x15\x95\xd8\xe1\xda\x62\x2c\x56"
20417 "\xd3\x53\xf4\x36\x7e\x8e\x59\x85"
20418 "\x0e\x51\xf9\x1c\xee\x70\x6a\x27"
20419 "\x3d\xd3\xb7\xac\x51\xfa\xdf\x05",
20420 .assoc = "\x24\x5e\x67\x49\x1e\x01\xd6\xdd"
20421 "\xf3\x89\x20\x5b\x7c\x57\x89\x07",
20422 .alen = 16,
20423 .ptext = "\x33\x27\xf5\xb1\x62\xa0\x80\x63"
20424 "\x14\xc0\x4d\x7f\x7b\x20\xba\x89",
20425 .plen = 16,
20426 .ctext = "\x3e\xf8\x86\x3d\x39\xf8\x96\x02"
20427 "\x0f\xdf\xc9\x6e\x37\x1e\x57\x99"
20428 "\x07\x2a\x1a\xac\xd1\xda\xfd\x3b"
20429 "\xc7\xff\xbd\xbc\x85\x09\x0b",
20430 .clen = 31,
20431 }, {
20432 .key = "\x42\xf0\x84\x19\xa6\x3f\x2b\xea"
20433 "\x34\xf6\x79\xa3\x79\xe9\xeb\x0a"
20434 "\x6e\x63\x82\x7f\xb2\x68\x0c\x3a"
20435 "\xce\xf5\x5e\x8e\x75\x42\x97\x26",
20436 .klen = 32,
20437 .iv = "\x51\xb9\x12\x80\xea\xde\xd5\x71"
20438 "\x54\x2d\xa6\xc8\x78\xb2\x1b\x8c"
20439 "\x39\x14\x05\xa0\xf3\x10\xec\x41"
20440 "\xff\x01\x95\x84\x2b\x59\x7f\xdb",
20441 .assoc = "\x61\x83\xa0\xe8\x2e\x7d\x7f\xf8"
20442 "\x74\x63\xd2\xec\x76\x7c\x4c\x0d",
20443 .alen = 16,
20444 .ptext = "\x70\x4c\x2f\x50\x72\x1c\x29\x7f"
20445 "\x95\x9a\xff\x10\x75\x45\x7d\x8f",
20446 .plen = 16,
20447 .ctext = "\x2f\xc4\xd8\x0d\xa6\x07\xef\x2e"
20448 "\x6c\xd9\x84\x63\x70\x97\x61\x37"
20449 "\x08\x2f\x16\x90\x9e\x62\x30\x0d"
20450 "\x62\xd5\xc8\xf0\x46\x1a",
20451 .clen = 30,
20452 }, {
20453 .key = "\x7f\x15\xbd\xb8\xb6\xba\xd3\x06"
20454 "\xb5\xd1\x2b\x35\x73\x0e\xad\x10"
20455 "\x98\x25\x8d\x03\xb7\x08\x8e\x54"
20456 "\x90\x23\x3d\x67\x4f\xa1\x36\xfc",
20457 .klen = 32,
20458 .iv = "\x8e\xde\x4c\x20\xfa\x59\x7e\x8d"
20459 "\xd5\x07\x58\x59\x72\xd7\xde\x92"
20460 "\x63\xd6\x10\x24\xf8\xb0\x6e\x5a"
20461 "\xc0\x2e\x74\x5d\x06\xb8\x1e\xb2",
20462 .assoc = "\x9d\xa7\xda\x88\x3e\xf8\x28\x14"
20463 "\xf5\x3e\x85\x7d\x70\xa0\x0f\x13",
20464 .alen = 16,
20465 .ptext = "\xac\x70\x69\xef\x82\x97\xd2\x9b"
20466 "\x15\x74\xb1\xa2\x6f\x69\x3f\x95",
20467 .plen = 16,
20468 .ctext = "\xce\xf3\x17\x87\x49\xc2\x00\x46"
20469 "\xc6\x12\x5c\x8f\x81\x38\xaa\x55"
20470 "\xf8\x67\x75\xf1\x75\xe3\x2a\x24",
20471 .clen = 24,
20472 },
20473};
20474
20475/*
20476 * All key wrapping test vectors taken from 19492 * All key wrapping test vectors taken from
20477 * http://csrc.nist.gov/groups/STM/cavp/documents/mac/kwtestvectors.zip 19493 * http://csrc.nist.gov/groups/STM/cavp/documents/mac/kwtestvectors.zip
20478 * 19494 *
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-08 05:29:24 -0400