aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2018-11-16 20:26:31 -0500
committerHerbert Xu <herbert@gondor.apana.org.au>2018-11-20 01:26:56 -0500
commit059c2a4d8e164dccc3078e49e7f286023b019a98 (patch)
tree1848d90f72c8c531ed3fe9793cabcb8a04c490b3 /crypto
parent16aae3595a9d41c97d983889b341c455779c2ecf (diff)
crypto: adiantum - add Adiantum support
Add support for the Adiantum encryption mode. Adiantum was designed by Paul Crowley and is specified by our paper: Adiantum: length-preserving encryption for entry-level processors (https://eprint.iacr.org/2018/720.pdf) See our paper for full details; this patch only provides an overview. Adiantum is a tweakable, length-preserving encryption mode designed for fast and secure disk encryption, especially on CPUs without dedicated crypto instructions. Adiantum encrypts each sector using the XChaCha12 stream cipher, two passes of an ε-almost-∆-universal (εA∆U) hash function, and an invocation of the AES-256 block cipher on a single 16-byte block. On CPUs without AES instructions, Adiantum is much faster than AES-XTS; for example, on ARM Cortex-A7, on 4096-byte sectors Adiantum encryption is about 4 times faster than AES-256-XTS encryption, and decryption about 5 times faster. Adiantum is a specialization of the more general HBSH construction. Our earlier proposal, HPolyC, was also a HBSH specialization, but it used a different εA∆U hash function, one based on Poly1305 only. Adiantum's εA∆U hash function, which is based primarily on the "NH" hash function like that used in UMAC (RFC4418), is about twice as fast as HPolyC's; consequently, Adiantum is about 20% faster than HPolyC. This speed comes with no loss of security: Adiantum is provably just as secure as HPolyC, in fact slightly *more* secure. Like HPolyC, Adiantum's security is reducible to that of XChaCha12 and AES-256, subject to a security bound. XChaCha12 itself has a security reduction to ChaCha12. Therefore, one need not "trust" Adiantum; one need only trust ChaCha12 and AES-256. Note that the εA∆U hash function is only used for its proven combinatorical properties so cannot be "broken". Adiantum is also a true wide-block encryption mode, so flipping any plaintext bit in the sector scrambles the entire ciphertext, and vice versa. No other such mode is available in the kernel currently; doing the same with XTS scrambles only 16 bytes. Adiantum also supports arbitrary-length tweaks and naturally supports any length input >= 16 bytes without needing "ciphertext stealing". For the stream cipher, Adiantum uses XChaCha12 rather than XChaCha20 in order to make encryption feasible on the widest range of devices. Although the 20-round variant is quite popular, the best known attacks on ChaCha are on only 7 rounds, so ChaCha12 still has a substantial security margin; in fact, larger than AES-256's. 12-round Salsa20 is also the eSTREAM recommendation. For the block cipher, Adiantum uses AES-256, despite it having a lower security margin than XChaCha12 and needing table lookups, due to AES's extensive adoption and analysis making it the obvious first choice. Nevertheless, for flexibility this patch also permits the "adiantum" template to be instantiated with XChaCha20 and/or with an alternate block cipher. We need Adiantum support in the kernel for use in dm-crypt and fscrypt, where currently the only other suitable options are block cipher modes such as AES-XTS. A big problem with this is that many low-end mobile devices (e.g. Android Go phones sold primarily in developing countries, as well as some smartwatches) still have CPUs that lack AES instructions, e.g. ARM Cortex-A7. Sadly, AES-XTS encryption is much too slow to be viable on these devices. We did find that some "lightweight" block ciphers are fast enough, but these suffer from problems such as not having much cryptanalysis or being too controversial. The ChaCha stream cipher has excellent performance but is insecure to use directly for disk encryption, since each sector's IV is reused each time it is overwritten. Even restricting the threat model to offline attacks only isn't enough, since modern flash storage devices don't guarantee that "overwrites" are really overwrites, due to wear-leveling. Adiantum avoids this problem by constructing a "tweakable super-pseudorandom permutation"; this is the strongest possible security model for length-preserving encryption. Of course, storing random nonces along with the ciphertext would be the ideal solution. But doing that with existing hardware and filesystems runs into major practical problems; in most cases it would require data journaling (like dm-integrity) which severely degrades performance. Thus, for now length-preserving encryption is still needed. Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto')
-rw-r--r--crypto/Kconfig23
-rw-r--r--crypto/Makefile1
-rw-r--r--crypto/adiantum.c658
-rw-r--r--crypto/tcrypt.c12
-rw-r--r--crypto/testmgr.c12
-rw-r--r--crypto/testmgr.h461
6 files changed, 1167 insertions, 0 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig
index eaeb8a986b7d..b6376d5d973e 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -501,6 +501,29 @@ config CRYPTO_NHPOLY1305
501 select CRYPTO_HASH 501 select CRYPTO_HASH
502 select CRYPTO_POLY1305 502 select CRYPTO_POLY1305
503 503
504config CRYPTO_ADIANTUM
505 tristate "Adiantum support"
506 select CRYPTO_CHACHA20
507 select CRYPTO_POLY1305
508 select CRYPTO_NHPOLY1305
509 help
510 Adiantum is a tweakable, length-preserving encryption mode
511 designed for fast and secure disk encryption, especially on
512 CPUs without dedicated crypto instructions. It encrypts
513 each sector using the XChaCha12 stream cipher, two passes of
514 an ε-almost-∆-universal hash function, and an invocation of
515 the AES-256 block cipher on a single 16-byte block. On CPUs
516 without AES instructions, Adiantum is much faster than
517 AES-XTS.
518
519 Adiantum's security is provably reducible to that of its
520 underlying stream and block ciphers, subject to a security
521 bound. Unlike XTS, Adiantum is a true wide-block encryption
522 mode, so it actually provides an even stronger notion of
523 security than XTS, subject to the security bound.
524
525 If unsure, say N.
526
504comment "Hash modes" 527comment "Hash modes"
505 528
506config CRYPTO_CMAC 529config CRYPTO_CMAC
diff --git a/crypto/Makefile b/crypto/Makefile
index c3310c85f09f..5e789dc2d4fd 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -85,6 +85,7 @@ obj-$(CONFIG_CRYPTO_LRW) += lrw.o
85obj-$(CONFIG_CRYPTO_XTS) += xts.o 85obj-$(CONFIG_CRYPTO_XTS) += xts.o
86obj-$(CONFIG_CRYPTO_CTR) += ctr.o 86obj-$(CONFIG_CRYPTO_CTR) += ctr.o
87obj-$(CONFIG_CRYPTO_KEYWRAP) += keywrap.o 87obj-$(CONFIG_CRYPTO_KEYWRAP) += keywrap.o
88obj-$(CONFIG_CRYPTO_ADIANTUM) += adiantum.o
88obj-$(CONFIG_CRYPTO_NHPOLY1305) += nhpoly1305.o 89obj-$(CONFIG_CRYPTO_NHPOLY1305) += nhpoly1305.o
89obj-$(CONFIG_CRYPTO_GCM) += gcm.o 90obj-$(CONFIG_CRYPTO_GCM) += gcm.o
90obj-$(CONFIG_CRYPTO_CCM) += ccm.o 91obj-$(CONFIG_CRYPTO_CCM) += ccm.o
diff --git a/crypto/adiantum.c b/crypto/adiantum.c
new file mode 100644
index 000000000000..2dfcf12fd452
--- /dev/null
+++ b/crypto/adiantum.c
@@ -0,0 +1,658 @@
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Adiantum length-preserving encryption mode
4 *
5 * Copyright 2018 Google LLC
6 */
7
8/*
9 * Adiantum is a tweakable, length-preserving encryption mode designed for fast
10 * and secure disk encryption, especially on CPUs without dedicated crypto
11 * instructions. Adiantum encrypts each sector using the XChaCha12 stream
12 * cipher, two passes of an ε-almost-∆-universal (εA∆U) hash function based on
13 * NH and Poly1305, and an invocation of the AES-256 block cipher on a single
14 * 16-byte block. See the paper for details:
15 *
16 * Adiantum: length-preserving encryption for entry-level processors
17 * (https://eprint.iacr.org/2018/720.pdf)
18 *
19 * For flexibility, this implementation also allows other ciphers:
20 *
21 * - Stream cipher: XChaCha12 or XChaCha20
22 * - Block cipher: any with a 128-bit block size and 256-bit key
23 *
24 * This implementation doesn't currently allow other εA∆U hash functions, i.e.
25 * HPolyC is not supported. This is because Adiantum is ~20% faster than HPolyC
26 * but still provably as secure, and also the εA∆U hash function of HBSH is
27 * formally defined to take two inputs (tweak, message) which makes it difficult
28 * to wrap with the crypto_shash API. Rather, some details need to be handled
29 * here. Nevertheless, if needed in the future, support for other εA∆U hash
30 * functions could be added here.
31 */
32
33#include <crypto/b128ops.h>
34#include <crypto/chacha.h>
35#include <crypto/internal/hash.h>
36#include <crypto/internal/skcipher.h>
37#include <crypto/nhpoly1305.h>
38#include <crypto/scatterwalk.h>
39#include <linux/module.h>
40
41#include "internal.h"
42
43/*
44 * Size of right-hand block of input data, in bytes; also the size of the block
45 * cipher's block size and the hash function's output.
46 */
47#define BLOCKCIPHER_BLOCK_SIZE 16
48
49/* Size of the block cipher key (K_E) in bytes */
50#define BLOCKCIPHER_KEY_SIZE 32
51
52/* Size of the hash key (K_H) in bytes */
53#define HASH_KEY_SIZE (POLY1305_BLOCK_SIZE + NHPOLY1305_KEY_SIZE)
54
55/*
56 * The specification allows variable-length tweaks, but Linux's crypto API
57 * currently only allows algorithms to support a single length. The "natural"
58 * tweak length for Adiantum is 16, since that fits into one Poly1305 block for
59 * the best performance. But longer tweaks are useful for fscrypt, to avoid
60 * needing to derive per-file keys. So instead we use two blocks, or 32 bytes.
61 */
62#define TWEAK_SIZE 32
63
64struct adiantum_instance_ctx {
65 struct crypto_skcipher_spawn streamcipher_spawn;
66 struct crypto_spawn blockcipher_spawn;
67 struct crypto_shash_spawn hash_spawn;
68};
69
70struct adiantum_tfm_ctx {
71 struct crypto_skcipher *streamcipher;
72 struct crypto_cipher *blockcipher;
73 struct crypto_shash *hash;
74 struct poly1305_key header_hash_key;
75};
76
77struct adiantum_request_ctx {
78
79 /*
80 * Buffer for right-hand block of data, i.e.
81 *
82 * P_L => P_M => C_M => C_R when encrypting, or
83 * C_R => C_M => P_M => P_L when decrypting.
84 *
85 * Also used to build the IV for the stream cipher.
86 */
87 union {
88 u8 bytes[XCHACHA_IV_SIZE];
89 __le32 words[XCHACHA_IV_SIZE / sizeof(__le32)];
90 le128 bignum; /* interpret as element of Z/(2^{128}Z) */
91 } rbuf;
92
93 bool enc; /* true if encrypting, false if decrypting */
94
95 /*
96 * The result of the Poly1305 εA∆U hash function applied to
97 * (message length, tweak).
98 */
99 le128 header_hash;
100
101 /* Sub-requests, must be last */
102 union {
103 struct shash_desc hash_desc;
104 struct skcipher_request streamcipher_req;
105 } u;
106};
107
108/*
109 * Given the XChaCha stream key K_S, derive the block cipher key K_E and the
110 * hash key K_H as follows:
111 *
112 * K_E || K_H || ... = XChaCha(key=K_S, nonce=1||0^191)
113 *
114 * Note that this denotes using bits from the XChaCha keystream, which here we
115 * get indirectly by encrypting a buffer containing all 0's.
116 */
117static int adiantum_setkey(struct crypto_skcipher *tfm, const u8 *key,
118 unsigned int keylen)
119{
120 struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
121 struct {
122 u8 iv[XCHACHA_IV_SIZE];
123 u8 derived_keys[BLOCKCIPHER_KEY_SIZE + HASH_KEY_SIZE];
124 struct scatterlist sg;
125 struct crypto_wait wait;
126 struct skcipher_request req; /* must be last */
127 } *data;
128 u8 *keyp;
129 int err;
130
131 /* Set the stream cipher key (K_S) */
132 crypto_skcipher_clear_flags(tctx->streamcipher, CRYPTO_TFM_REQ_MASK);
133 crypto_skcipher_set_flags(tctx->streamcipher,
134 crypto_skcipher_get_flags(tfm) &
135 CRYPTO_TFM_REQ_MASK);
136 err = crypto_skcipher_setkey(tctx->streamcipher, key, keylen);
137 crypto_skcipher_set_flags(tfm,
138 crypto_skcipher_get_flags(tctx->streamcipher) &
139 CRYPTO_TFM_RES_MASK);
140 if (err)
141 return err;
142
143 /* Derive the subkeys */
144 data = kzalloc(sizeof(*data) +
145 crypto_skcipher_reqsize(tctx->streamcipher), GFP_KERNEL);
146 if (!data)
147 return -ENOMEM;
148 data->iv[0] = 1;
149 sg_init_one(&data->sg, data->derived_keys, sizeof(data->derived_keys));
150 crypto_init_wait(&data->wait);
151 skcipher_request_set_tfm(&data->req, tctx->streamcipher);
152 skcipher_request_set_callback(&data->req, CRYPTO_TFM_REQ_MAY_SLEEP |
153 CRYPTO_TFM_REQ_MAY_BACKLOG,
154 crypto_req_done, &data->wait);
155 skcipher_request_set_crypt(&data->req, &data->sg, &data->sg,
156 sizeof(data->derived_keys), data->iv);
157 err = crypto_wait_req(crypto_skcipher_encrypt(&data->req), &data->wait);
158 if (err)
159 goto out;
160 keyp = data->derived_keys;
161
162 /* Set the block cipher key (K_E) */
163 crypto_cipher_clear_flags(tctx->blockcipher, CRYPTO_TFM_REQ_MASK);
164 crypto_cipher_set_flags(tctx->blockcipher,
165 crypto_skcipher_get_flags(tfm) &
166 CRYPTO_TFM_REQ_MASK);
167 err = crypto_cipher_setkey(tctx->blockcipher, keyp,
168 BLOCKCIPHER_KEY_SIZE);
169 crypto_skcipher_set_flags(tfm,
170 crypto_cipher_get_flags(tctx->blockcipher) &
171 CRYPTO_TFM_RES_MASK);
172 if (err)
173 goto out;
174 keyp += BLOCKCIPHER_KEY_SIZE;
175
176 /* Set the hash key (K_H) */
177 poly1305_core_setkey(&tctx->header_hash_key, keyp);
178 keyp += POLY1305_BLOCK_SIZE;
179
180 crypto_shash_clear_flags(tctx->hash, CRYPTO_TFM_REQ_MASK);
181 crypto_shash_set_flags(tctx->hash, crypto_skcipher_get_flags(tfm) &
182 CRYPTO_TFM_REQ_MASK);
183 err = crypto_shash_setkey(tctx->hash, keyp, NHPOLY1305_KEY_SIZE);
184 crypto_skcipher_set_flags(tfm, crypto_shash_get_flags(tctx->hash) &
185 CRYPTO_TFM_RES_MASK);
186 keyp += NHPOLY1305_KEY_SIZE;
187 WARN_ON(keyp != &data->derived_keys[ARRAY_SIZE(data->derived_keys)]);
188out:
189 kzfree(data);
190 return err;
191}
192
193/* Addition in Z/(2^{128}Z) */
194static inline void le128_add(le128 *r, const le128 *v1, const le128 *v2)
195{
196 u64 x = le64_to_cpu(v1->b);
197 u64 y = le64_to_cpu(v2->b);
198
199 r->b = cpu_to_le64(x + y);
200 r->a = cpu_to_le64(le64_to_cpu(v1->a) + le64_to_cpu(v2->a) +
201 (x + y < x));
202}
203
204/* Subtraction in Z/(2^{128}Z) */
205static inline void le128_sub(le128 *r, const le128 *v1, const le128 *v2)
206{
207 u64 x = le64_to_cpu(v1->b);
208 u64 y = le64_to_cpu(v2->b);
209
210 r->b = cpu_to_le64(x - y);
211 r->a = cpu_to_le64(le64_to_cpu(v1->a) - le64_to_cpu(v2->a) -
212 (x - y > x));
213}
214
215/*
216 * Apply the Poly1305 εA∆U hash function to (message length, tweak) and save the
217 * result to rctx->header_hash.
218 *
219 * This value is reused in both the first and second hash steps. Specifically,
220 * it's added to the result of an independently keyed εA∆U hash function (for
221 * equal length inputs only) taken over the message. This gives the overall
222 * Adiantum hash of the (tweak, message) pair.
223 */
224static void adiantum_hash_header(struct skcipher_request *req)
225{
226 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
227 const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
228 struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
229 const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
230 struct {
231 __le64 message_bits;
232 __le64 padding;
233 } header = {
234 .message_bits = cpu_to_le64((u64)bulk_len * 8)
235 };
236 struct poly1305_state state;
237
238 poly1305_core_init(&state);
239
240 BUILD_BUG_ON(sizeof(header) % POLY1305_BLOCK_SIZE != 0);
241 poly1305_core_blocks(&state, &tctx->header_hash_key,
242 &header, sizeof(header) / POLY1305_BLOCK_SIZE);
243
244 BUILD_BUG_ON(TWEAK_SIZE % POLY1305_BLOCK_SIZE != 0);
245 poly1305_core_blocks(&state, &tctx->header_hash_key, req->iv,
246 TWEAK_SIZE / POLY1305_BLOCK_SIZE);
247
248 poly1305_core_emit(&state, &rctx->header_hash);
249}
250
251/* Hash the left-hand block (the "bulk") of the message using NHPoly1305 */
252static int adiantum_hash_message(struct skcipher_request *req,
253 struct scatterlist *sgl, le128 *digest)
254{
255 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
256 const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
257 struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
258 const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
259 struct shash_desc *hash_desc = &rctx->u.hash_desc;
260 struct sg_mapping_iter miter;
261 unsigned int i, n;
262 int err;
263
264 hash_desc->tfm = tctx->hash;
265 hash_desc->flags = 0;
266
267 err = crypto_shash_init(hash_desc);
268 if (err)
269 return err;
270
271 sg_miter_start(&miter, sgl, sg_nents(sgl),
272 SG_MITER_FROM_SG | SG_MITER_ATOMIC);
273 for (i = 0; i < bulk_len; i += n) {
274 sg_miter_next(&miter);
275 n = min_t(unsigned int, miter.length, bulk_len - i);
276 err = crypto_shash_update(hash_desc, miter.addr, n);
277 if (err)
278 break;
279 }
280 sg_miter_stop(&miter);
281 if (err)
282 return err;
283
284 return crypto_shash_final(hash_desc, (u8 *)digest);
285}
286
287/* Continue Adiantum encryption/decryption after the stream cipher step */
288static int adiantum_finish(struct skcipher_request *req)
289{
290 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
291 const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
292 struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
293 const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
294 le128 digest;
295 int err;
296
297 /* If decrypting, decrypt C_M with the block cipher to get P_M */
298 if (!rctx->enc)
299 crypto_cipher_decrypt_one(tctx->blockcipher, rctx->rbuf.bytes,
300 rctx->rbuf.bytes);
301
302 /*
303 * Second hash step
304 * enc: C_R = C_M - H_{K_H}(T, C_L)
305 * dec: P_R = P_M - H_{K_H}(T, P_L)
306 */
307 err = adiantum_hash_message(req, req->dst, &digest);
308 if (err)
309 return err;
310 le128_add(&digest, &digest, &rctx->header_hash);
311 le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
312 scatterwalk_map_and_copy(&rctx->rbuf.bignum, req->dst,
313 bulk_len, BLOCKCIPHER_BLOCK_SIZE, 1);
314 return 0;
315}
316
317static void adiantum_streamcipher_done(struct crypto_async_request *areq,
318 int err)
319{
320 struct skcipher_request *req = areq->data;
321
322 if (!err)
323 err = adiantum_finish(req);
324
325 skcipher_request_complete(req, err);
326}
327
328static int adiantum_crypt(struct skcipher_request *req, bool enc)
329{
330 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
331 const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
332 struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
333 const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
334 unsigned int stream_len;
335 le128 digest;
336 int err;
337
338 if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE)
339 return -EINVAL;
340
341 rctx->enc = enc;
342
343 /*
344 * First hash step
345 * enc: P_M = P_R + H_{K_H}(T, P_L)
346 * dec: C_M = C_R + H_{K_H}(T, C_L)
347 */
348 adiantum_hash_header(req);
349 err = adiantum_hash_message(req, req->src, &digest);
350 if (err)
351 return err;
352 le128_add(&digest, &digest, &rctx->header_hash);
353 scatterwalk_map_and_copy(&rctx->rbuf.bignum, req->src,
354 bulk_len, BLOCKCIPHER_BLOCK_SIZE, 0);
355 le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
356
357 /* If encrypting, encrypt P_M with the block cipher to get C_M */
358 if (enc)
359 crypto_cipher_encrypt_one(tctx->blockcipher, rctx->rbuf.bytes,
360 rctx->rbuf.bytes);
361
362 /* Initialize the rest of the XChaCha IV (first part is C_M) */
363 BUILD_BUG_ON(BLOCKCIPHER_BLOCK_SIZE != 16);
364 BUILD_BUG_ON(XCHACHA_IV_SIZE != 32); /* nonce || stream position */
365 rctx->rbuf.words[4] = cpu_to_le32(1);
366 rctx->rbuf.words[5] = 0;
367 rctx->rbuf.words[6] = 0;
368 rctx->rbuf.words[7] = 0;
369
370 /*
371 * XChaCha needs to be done on all the data except the last 16 bytes;
372 * for disk encryption that usually means 4080 or 496 bytes. But ChaCha
373 * implementations tend to be most efficient when passed a whole number
374 * of 64-byte ChaCha blocks, or sometimes even a multiple of 256 bytes.
375 * And here it doesn't matter whether the last 16 bytes are written to,
376 * as the second hash step will overwrite them. Thus, round the XChaCha
377 * length up to the next 64-byte boundary if possible.
378 */
379 stream_len = bulk_len;
380 if (round_up(stream_len, CHACHA_BLOCK_SIZE) <= req->cryptlen)
381 stream_len = round_up(stream_len, CHACHA_BLOCK_SIZE);
382
383 skcipher_request_set_tfm(&rctx->u.streamcipher_req, tctx->streamcipher);
384 skcipher_request_set_crypt(&rctx->u.streamcipher_req, req->src,
385 req->dst, stream_len, &rctx->rbuf);
386 skcipher_request_set_callback(&rctx->u.streamcipher_req,
387 req->base.flags,
388 adiantum_streamcipher_done, req);
389 return crypto_skcipher_encrypt(&rctx->u.streamcipher_req) ?:
390 adiantum_finish(req);
391}
392
393static int adiantum_encrypt(struct skcipher_request *req)
394{
395 return adiantum_crypt(req, true);
396}
397
398static int adiantum_decrypt(struct skcipher_request *req)
399{
400 return adiantum_crypt(req, false);
401}
402
403static int adiantum_init_tfm(struct crypto_skcipher *tfm)
404{
405 struct skcipher_instance *inst = skcipher_alg_instance(tfm);
406 struct adiantum_instance_ctx *ictx = skcipher_instance_ctx(inst);
407 struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
408 struct crypto_skcipher *streamcipher;
409 struct crypto_cipher *blockcipher;
410 struct crypto_shash *hash;
411 unsigned int subreq_size;
412 int err;
413
414 streamcipher = crypto_spawn_skcipher(&ictx->streamcipher_spawn);
415 if (IS_ERR(streamcipher))
416 return PTR_ERR(streamcipher);
417
418 blockcipher = crypto_spawn_cipher(&ictx->blockcipher_spawn);
419 if (IS_ERR(blockcipher)) {
420 err = PTR_ERR(blockcipher);
421 goto err_free_streamcipher;
422 }
423
424 hash = crypto_spawn_shash(&ictx->hash_spawn);
425 if (IS_ERR(hash)) {
426 err = PTR_ERR(hash);
427 goto err_free_blockcipher;
428 }
429
430 tctx->streamcipher = streamcipher;
431 tctx->blockcipher = blockcipher;
432 tctx->hash = hash;
433
434 BUILD_BUG_ON(offsetofend(struct adiantum_request_ctx, u) !=
435 sizeof(struct adiantum_request_ctx));
436 subreq_size = max(FIELD_SIZEOF(struct adiantum_request_ctx,
437 u.hash_desc) +
438 crypto_shash_descsize(hash),
439 FIELD_SIZEOF(struct adiantum_request_ctx,
440 u.streamcipher_req) +
441 crypto_skcipher_reqsize(streamcipher));
442
443 crypto_skcipher_set_reqsize(tfm,
444 offsetof(struct adiantum_request_ctx, u) +
445 subreq_size);
446 return 0;
447
448err_free_blockcipher:
449 crypto_free_cipher(blockcipher);
450err_free_streamcipher:
451 crypto_free_skcipher(streamcipher);
452 return err;
453}
454
455static void adiantum_exit_tfm(struct crypto_skcipher *tfm)
456{
457 struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
458
459 crypto_free_skcipher(tctx->streamcipher);
460 crypto_free_cipher(tctx->blockcipher);
461 crypto_free_shash(tctx->hash);
462}
463
464static void adiantum_free_instance(struct skcipher_instance *inst)
465{
466 struct adiantum_instance_ctx *ictx = skcipher_instance_ctx(inst);
467
468 crypto_drop_skcipher(&ictx->streamcipher_spawn);
469 crypto_drop_spawn(&ictx->blockcipher_spawn);
470 crypto_drop_shash(&ictx->hash_spawn);
471 kfree(inst);
472}
473
474/*
475 * Check for a supported set of inner algorithms.
476 * See the comment at the beginning of this file.
477 */
478static bool adiantum_supported_algorithms(struct skcipher_alg *streamcipher_alg,
479 struct crypto_alg *blockcipher_alg,
480 struct shash_alg *hash_alg)
481{
482 if (strcmp(streamcipher_alg->base.cra_name, "xchacha12") != 0 &&
483 strcmp(streamcipher_alg->base.cra_name, "xchacha20") != 0)
484 return false;
485
486 if (blockcipher_alg->cra_cipher.cia_min_keysize > BLOCKCIPHER_KEY_SIZE ||
487 blockcipher_alg->cra_cipher.cia_max_keysize < BLOCKCIPHER_KEY_SIZE)
488 return false;
489 if (blockcipher_alg->cra_blocksize != BLOCKCIPHER_BLOCK_SIZE)
490 return false;
491
492 if (strcmp(hash_alg->base.cra_name, "nhpoly1305") != 0)
493 return false;
494
495 return true;
496}
497
498static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb)
499{
500 struct crypto_attr_type *algt;
501 const char *streamcipher_name;
502 const char *blockcipher_name;
503 const char *nhpoly1305_name;
504 struct skcipher_instance *inst;
505 struct adiantum_instance_ctx *ictx;
506 struct skcipher_alg *streamcipher_alg;
507 struct crypto_alg *blockcipher_alg;
508 struct crypto_alg *_hash_alg;
509 struct shash_alg *hash_alg;
510 int err;
511
512 algt = crypto_get_attr_type(tb);
513 if (IS_ERR(algt))
514 return PTR_ERR(algt);
515
516 if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask)
517 return -EINVAL;
518
519 streamcipher_name = crypto_attr_alg_name(tb[1]);
520 if (IS_ERR(streamcipher_name))
521 return PTR_ERR(streamcipher_name);
522
523 blockcipher_name = crypto_attr_alg_name(tb[2]);
524 if (IS_ERR(blockcipher_name))
525 return PTR_ERR(blockcipher_name);
526
527 nhpoly1305_name = crypto_attr_alg_name(tb[3]);
528 if (nhpoly1305_name == ERR_PTR(-ENOENT))
529 nhpoly1305_name = "nhpoly1305";
530 if (IS_ERR(nhpoly1305_name))
531 return PTR_ERR(nhpoly1305_name);
532
533 inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
534 if (!inst)
535 return -ENOMEM;
536 ictx = skcipher_instance_ctx(inst);
537
538 /* Stream cipher, e.g. "xchacha12" */
539 err = crypto_grab_skcipher(&ictx->streamcipher_spawn, streamcipher_name,
540 0, crypto_requires_sync(algt->type,
541 algt->mask));
542 if (err)
543 goto out_free_inst;
544 streamcipher_alg = crypto_spawn_skcipher_alg(&ictx->streamcipher_spawn);
545
546 /* Block cipher, e.g. "aes" */
547 err = crypto_grab_spawn(&ictx->blockcipher_spawn, blockcipher_name,
548 CRYPTO_ALG_TYPE_CIPHER, CRYPTO_ALG_TYPE_MASK);
549 if (err)
550 goto out_drop_streamcipher;
551 blockcipher_alg = ictx->blockcipher_spawn.alg;
552
553 /* NHPoly1305 εA∆U hash function */
554 _hash_alg = crypto_alg_mod_lookup(nhpoly1305_name,
555 CRYPTO_ALG_TYPE_SHASH,
556 CRYPTO_ALG_TYPE_MASK);
557 if (IS_ERR(_hash_alg)) {
558 err = PTR_ERR(_hash_alg);
559 goto out_drop_blockcipher;
560 }
561 hash_alg = __crypto_shash_alg(_hash_alg);
562 err = crypto_init_shash_spawn(&ictx->hash_spawn, hash_alg,
563 skcipher_crypto_instance(inst));
564 if (err) {
565 crypto_mod_put(_hash_alg);
566 goto out_drop_blockcipher;
567 }
568
569 /* Check the set of algorithms */
570 if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg,
571 hash_alg)) {
572 pr_warn("Unsupported Adiantum instantiation: (%s,%s,%s)\n",
573 streamcipher_alg->base.cra_name,
574 blockcipher_alg->cra_name, hash_alg->base.cra_name);
575 err = -EINVAL;
576 goto out_drop_hash;
577 }
578
579 /* Instance fields */
580
581 err = -ENAMETOOLONG;
582 if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
583 "adiantum(%s,%s)", streamcipher_alg->base.cra_name,
584 blockcipher_alg->cra_name) >= CRYPTO_MAX_ALG_NAME)
585 goto out_drop_hash;
586 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
587 "adiantum(%s,%s,%s)",
588 streamcipher_alg->base.cra_driver_name,
589 blockcipher_alg->cra_driver_name,
590 hash_alg->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
591 goto out_drop_hash;
592
593 inst->alg.base.cra_blocksize = BLOCKCIPHER_BLOCK_SIZE;
594 inst->alg.base.cra_ctxsize = sizeof(struct adiantum_tfm_ctx);
595 inst->alg.base.cra_alignmask = streamcipher_alg->base.cra_alignmask |
596 hash_alg->base.cra_alignmask;
597 /*
598 * The block cipher is only invoked once per message, so for long
599 * messages (e.g. sectors for disk encryption) its performance doesn't
600 * matter as much as that of the stream cipher and hash function. Thus,
601 * weigh the block cipher's ->cra_priority less.
602 */
603 inst->alg.base.cra_priority = (4 * streamcipher_alg->base.cra_priority +
604 2 * hash_alg->base.cra_priority +
605 blockcipher_alg->cra_priority) / 7;
606
607 inst->alg.setkey = adiantum_setkey;
608 inst->alg.encrypt = adiantum_encrypt;
609 inst->alg.decrypt = adiantum_decrypt;
610 inst->alg.init = adiantum_init_tfm;
611 inst->alg.exit = adiantum_exit_tfm;
612 inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(streamcipher_alg);
613 inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(streamcipher_alg);
614 inst->alg.ivsize = TWEAK_SIZE;
615
616 inst->free = adiantum_free_instance;
617
618 err = skcipher_register_instance(tmpl, inst);
619 if (err)
620 goto out_drop_hash;
621
622 return 0;
623
624out_drop_hash:
625 crypto_drop_shash(&ictx->hash_spawn);
626out_drop_blockcipher:
627 crypto_drop_spawn(&ictx->blockcipher_spawn);
628out_drop_streamcipher:
629 crypto_drop_skcipher(&ictx->streamcipher_spawn);
630out_free_inst:
631 kfree(inst);
632 return err;
633}
634
635/* adiantum(streamcipher_name, blockcipher_name [, nhpoly1305_name]) */
636static struct crypto_template adiantum_tmpl = {
637 .name = "adiantum",
638 .create = adiantum_create,
639 .module = THIS_MODULE,
640};
641
642static int __init adiantum_module_init(void)
643{
644 return crypto_register_template(&adiantum_tmpl);
645}
646
647static void __exit adiantum_module_exit(void)
648{
649 crypto_unregister_template(&adiantum_tmpl);
650}
651
652module_init(adiantum_module_init);
653module_exit(adiantum_module_exit);
654
655MODULE_DESCRIPTION("Adiantum length-preserving encryption mode");
656MODULE_LICENSE("GPL v2");
657MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");
658MODULE_ALIAS_CRYPTO("adiantum");
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index 5fb120474902..0590a9204562 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -2320,6 +2320,18 @@ static int do_test(const char *alg, u32 type, u32 mask, int m, u32 num_mb)
2320 test_cipher_speed("ctr(sm4)", DECRYPT, sec, NULL, 0, 2320 test_cipher_speed("ctr(sm4)", DECRYPT, sec, NULL, 0,
2321 speed_template_16); 2321 speed_template_16);
2322 break; 2322 break;
2323
2324 case 219:
2325 test_cipher_speed("adiantum(xchacha12,aes)", ENCRYPT, sec, NULL,
2326 0, speed_template_32);
2327 test_cipher_speed("adiantum(xchacha12,aes)", DECRYPT, sec, NULL,
2328 0, speed_template_32);
2329 test_cipher_speed("adiantum(xchacha20,aes)", ENCRYPT, sec, NULL,
2330 0, speed_template_32);
2331 test_cipher_speed("adiantum(xchacha20,aes)", DECRYPT, sec, NULL,
2332 0, speed_template_32);
2333 break;
2334
2323 case 300: 2335 case 300:
2324 if (alg) { 2336 if (alg) {
2325 test_hash_speed(alg, sec, generic_hash_speed_template); 2337 test_hash_speed(alg, sec, generic_hash_speed_template);
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 665911c24786..0f684a414acb 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -2404,6 +2404,18 @@ static int alg_test_null(const struct alg_test_desc *desc,
2404/* Please keep this list sorted by algorithm name. */ 2404/* Please keep this list sorted by algorithm name. */
2405static const struct alg_test_desc alg_test_descs[] = { 2405static const struct alg_test_desc alg_test_descs[] = {
2406 { 2406 {
2407 .alg = "adiantum(xchacha12,aes)",
2408 .test = alg_test_skcipher,
2409 .suite = {
2410 .cipher = __VECS(adiantum_xchacha12_aes_tv_template)
2411 },
2412 }, {
2413 .alg = "adiantum(xchacha20,aes)",
2414 .test = alg_test_skcipher,
2415 .suite = {
2416 .cipher = __VECS(adiantum_xchacha20_aes_tv_template)
2417 },
2418 }, {
2407 .alg = "aegis128", 2419 .alg = "aegis128",
2408 .test = alg_test_aead, 2420 .test = alg_test_aead,
2409 .suite = { 2421 .suite = {
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 50ea1f2705c7..e7e56a8febbc 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -33381,6 +33381,467 @@ static const struct cipher_testvec xchacha12_tv_template[] = {
33381 }, 33381 },
33382}; 33382};
33383 33383
33384/* Adiantum test vectors from https://github.com/google/adiantum */
33385static const struct cipher_testvec adiantum_xchacha12_aes_tv_template[] = {
33386 {
33387 .key = "\x9e\xeb\xb2\x49\x3c\x1c\xf5\xf4"
33388 "\x6a\x99\xc2\xc4\xdf\xb1\xf4\xdd"
33389 "\x75\x20\x57\xea\x2c\x4f\xcd\xb2"
33390 "\xa5\x3d\x7b\x49\x1e\xab\xfd\x0f",
33391 .klen = 32,
33392 .iv = "\xdf\x63\xd4\xab\xd2\x49\xf3\xd8"
33393 "\x33\x81\x37\x60\x7d\xfa\x73\x08"
33394 "\xd8\x49\x6d\x80\xe8\x2f\x62\x54"
33395 "\xeb\x0e\xa9\x39\x5b\x45\x7f\x8a",
33396 .ptext = "\x67\xc9\xf2\x30\x84\x41\x8e\x43"
33397 "\xfb\xf3\xb3\x3e\x79\x36\x7f\xe8",
33398 .ctext = "\x6d\x32\x86\x18\x67\x86\x0f\x3f"
33399 "\x96\x7c\x9d\x28\x0d\x53\xec\x9f",
33400 .len = 16,
33401 .also_non_np = 1,
33402 .np = 2,
33403 .tap = { 14, 2 },
33404 }, {
33405 .key = "\x36\x2b\x57\x97\xf8\x5d\xcd\x99"
33406 "\x5f\x1a\x5a\x44\x1d\x92\x0f\x27"
33407 "\xcc\x16\xd7\x2b\x85\x63\x99\xd3"
33408 "\xba\x96\xa1\xdb\xd2\x60\x68\xda",
33409 .klen = 32,
33410 .iv = "\xef\x58\x69\xb1\x2c\x5e\x9a\x47"
33411 "\x24\xc1\xb1\x69\xe1\x12\x93\x8f"
33412 "\x43\x3d\x6d\x00\xdb\x5e\xd8\xd9"
33413 "\x12\x9a\xfe\xd9\xff\x2d\xaa\xc4",
33414 .ptext = "\x5e\xa8\x68\x19\x85\x98\x12\x23"
33415 "\x26\x0a\xcc\xdb\x0a\x04\xb9\xdf"
33416 "\x4d\xb3\x48\x7b\xb0\xe3\xc8\x19"
33417 "\x43\x5a\x46\x06\x94\x2d\xf2",
33418 .ctext = "\xc7\xc6\xf1\x73\x8f\xc4\xff\x4a"
33419 "\x39\xbe\x78\xbe\x8d\x28\xc8\x89"
33420 "\x46\x63\xe7\x0c\x7d\x87\xe8\x4e"
33421 "\xc9\x18\x7b\xbe\x18\x60\x50",
33422 .len = 31,
33423 }, {
33424 .key = "\xa5\x28\x24\x34\x1a\x3c\xd8\xf7"
33425 "\x05\x91\x8f\xee\x85\x1f\x35\x7f"
33426 "\x80\x3d\xfc\x9b\x94\xf6\xfc\x9e"
33427 "\x19\x09\x00\xa9\x04\x31\x4f\x11",
33428 .klen = 32,
33429 .iv = "\xa1\xba\x49\x95\xff\x34\x6d\xb8"
33430 "\xcd\x87\x5d\x5e\xfd\xea\x85\xdb"
33431 "\x8a\x7b\x5e\xb2\x5d\x57\xdd\x62"
33432 "\xac\xa9\x8c\x41\x42\x94\x75\xb7",
33433 .ptext = "\x69\xb4\xe8\x8c\x37\xe8\x67\x82"
33434 "\xf1\xec\x5d\x04\xe5\x14\x91\x13"
33435 "\xdf\xf2\x87\x1b\x69\x81\x1d\x71"
33436 "\x70\x9e\x9c\x3b\xde\x49\x70\x11"
33437 "\xa0\xa3\xdb\x0d\x54\x4f\x66\x69"
33438 "\xd7\xdb\x80\xa7\x70\x92\x68\xce"
33439 "\x81\x04\x2c\xc6\xab\xae\xe5\x60"
33440 "\x15\xe9\x6f\xef\xaa\x8f\xa7\xa7"
33441 "\x63\x8f\xf2\xf0\x77\xf1\xa8\xea"
33442 "\xe1\xb7\x1f\x9e\xab\x9e\x4b\x3f"
33443 "\x07\x87\x5b\x6f\xcd\xa8\xaf\xb9"
33444 "\xfa\x70\x0b\x52\xb8\xa8\xa7\x9e"
33445 "\x07\x5f\xa6\x0e\xb3\x9b\x79\x13"
33446 "\x79\xc3\x3e\x8d\x1c\x2c\x68\xc8"
33447 "\x51\x1d\x3c\x7b\x7d\x79\x77\x2a"
33448 "\x56\x65\xc5\x54\x23\x28\xb0\x03",
33449 .ctext = "\x9e\x16\xab\xed\x4b\xa7\x42\x5a"
33450 "\xc6\xfb\x4e\x76\xff\xbe\x03\xa0"
33451 "\x0f\xe3\xad\xba\xe4\x98\x2b\x0e"
33452 "\x21\x48\xa0\xb8\x65\x48\x27\x48"
33453 "\x84\x54\x54\xb2\x9a\x94\x7b\xe6"
33454 "\x4b\x29\xe9\xcf\x05\x91\x80\x1a"
33455 "\x3a\xf3\x41\x96\x85\x1d\x9f\x74"
33456 "\x51\x56\x63\xfa\x7c\x28\x85\x49"
33457 "\xf7\x2f\xf9\xf2\x18\x46\xf5\x33"
33458 "\x80\xa3\x3c\xce\xb2\x57\x93\xf5"
33459 "\xae\xbd\xa9\xf5\x7b\x30\xc4\x93"
33460 "\x66\xe0\x30\x77\x16\xe4\xa0\x31"
33461 "\xba\x70\xbc\x68\x13\xf5\xb0\x9a"
33462 "\xc1\xfc\x7e\xfe\x55\x80\x5c\x48"
33463 "\x74\xa6\xaa\xa3\xac\xdc\xc2\xf5"
33464 "\x8d\xde\x34\x86\x78\x60\x75\x8d",
33465 .len = 128,
33466 .also_non_np = 1,
33467 .np = 4,
33468 .tap = { 104, 16, 4, 4 },
33469 }, {
33470 .key = "\xd3\x81\x72\x18\x23\xff\x6f\x4a"
33471 "\x25\x74\x29\x0d\x51\x8a\x0e\x13"
33472 "\xc1\x53\x5d\x30\x8d\xee\x75\x0d"
33473 "\x14\xd6\x69\xc9\x15\xa9\x0c\x60",
33474 .klen = 32,
33475 .iv = "\x65\x9b\xd4\xa8\x7d\x29\x1d\xf4"
33476 "\xc4\xd6\x9b\x6a\x28\xab\x64\xe2"
33477 "\x62\x81\x97\xc5\x81\xaa\xf9\x44"
33478 "\xc1\x72\x59\x82\xaf\x16\xc8\x2c",
33479 .ptext = "\xc7\x6b\x52\x6a\x10\xf0\xcc\x09"
33480 "\xc1\x12\x1d\x6d\x21\xa6\x78\xf5"
33481 "\x05\xa3\x69\x60\x91\x36\x98\x57"
33482 "\xba\x0c\x14\xcc\xf3\x2d\x73\x03"
33483 "\xc6\xb2\x5f\xc8\x16\x27\x37\x5d"
33484 "\xd0\x0b\x87\xb2\x50\x94\x7b\x58"
33485 "\x04\xf4\xe0\x7f\x6e\x57\x8e\xc9"
33486 "\x41\x84\xc1\xb1\x7e\x4b\x91\x12"
33487 "\x3a\x8b\x5d\x50\x82\x7b\xcb\xd9"
33488 "\x9a\xd9\x4e\x18\x06\x23\x9e\xd4"
33489 "\xa5\x20\x98\xef\xb5\xda\xe5\xc0"
33490 "\x8a\x6a\x83\x77\x15\x84\x1e\xae"
33491 "\x78\x94\x9d\xdf\xb7\xd1\xea\x67"
33492 "\xaa\xb0\x14\x15\xfa\x67\x21\x84"
33493 "\xd3\x41\x2a\xce\xba\x4b\x4a\xe8"
33494 "\x95\x62\xa9\x55\xf0\x80\xad\xbd"
33495 "\xab\xaf\xdd\x4f\xa5\x7c\x13\x36"
33496 "\xed\x5e\x4f\x72\xad\x4b\xf1\xd0"
33497 "\x88\x4e\xec\x2c\x88\x10\x5e\xea"
33498 "\x12\xc0\x16\x01\x29\xa3\xa0\x55"
33499 "\xaa\x68\xf3\xe9\x9d\x3b\x0d\x3b"
33500 "\x6d\xec\xf8\xa0\x2d\xf0\x90\x8d"
33501 "\x1c\xe2\x88\xd4\x24\x71\xf9\xb3"
33502 "\xc1\x9f\xc5\xd6\x76\x70\xc5\x2e"
33503 "\x9c\xac\xdb\x90\xbd\x83\x72\xba"
33504 "\x6e\xb5\xa5\x53\x83\xa9\xa5\xbf"
33505 "\x7d\x06\x0e\x3c\x2a\xd2\x04\xb5"
33506 "\x1e\x19\x38\x09\x16\xd2\x82\x1f"
33507 "\x75\x18\x56\xb8\x96\x0b\xa6\xf9"
33508 "\xcf\x62\xd9\x32\x5d\xa9\xd7\x1d"
33509 "\xec\xe4\xdf\x1b\xbe\xf1\x36\xee"
33510 "\xe3\x7b\xb5\x2f\xee\xf8\x53\x3d"
33511 "\x6a\xb7\x70\xa9\xfc\x9c\x57\x25"
33512 "\xf2\x89\x10\xd3\xb8\xa8\x8c\x30"
33513 "\xae\x23\x4f\x0e\x13\x66\x4f\xe1"
33514 "\xb6\xc0\xe4\xf8\xef\x93\xbd\x6e"
33515 "\x15\x85\x6b\xe3\x60\x81\x1d\x68"
33516 "\xd7\x31\x87\x89\x09\xab\xd5\x96"
33517 "\x1d\xf3\x6d\x67\x80\xca\x07\x31"
33518 "\x5d\xa7\xe4\xfb\x3e\xf2\x9b\x33"
33519 "\x52\x18\xc8\x30\xfe\x2d\xca\x1e"
33520 "\x79\x92\x7a\x60\x5c\xb6\x58\x87"
33521 "\xa4\x36\xa2\x67\x92\x8b\xa4\xb7"
33522 "\xf1\x86\xdf\xdc\xc0\x7e\x8f\x63"
33523 "\xd2\xa2\xdc\x78\xeb\x4f\xd8\x96"
33524 "\x47\xca\xb8\x91\xf9\xf7\x94\x21"
33525 "\x5f\x9a\x9f\x5b\xb8\x40\x41\x4b"
33526 "\x66\x69\x6a\x72\xd0\xcb\x70\xb7"
33527 "\x93\xb5\x37\x96\x05\x37\x4f\xe5"
33528 "\x8c\xa7\x5a\x4e\x8b\xb7\x84\xea"
33529 "\xc7\xfc\x19\x6e\x1f\x5a\xa1\xac"
33530 "\x18\x7d\x52\x3b\xb3\x34\x62\x99"
33531 "\xe4\x9e\x31\x04\x3f\xc0\x8d\x84"
33532 "\x17\x7c\x25\x48\x52\x67\x11\x27"
33533 "\x67\xbb\x5a\x85\xca\x56\xb2\x5c"
33534 "\xe6\xec\xd5\x96\x3d\x15\xfc\xfb"
33535 "\x22\x25\xf4\x13\xe5\x93\x4b\x9a"
33536 "\x77\xf1\x52\x18\xfa\x16\x5e\x49"
33537 "\x03\x45\xa8\x08\xfa\xb3\x41\x92"
33538 "\x79\x50\x33\xca\xd0\xd7\x42\x55"
33539 "\xc3\x9a\x0c\x4e\xd9\xa4\x3c\x86"
33540 "\x80\x9f\x53\xd1\xa4\x2e\xd1\xbc"
33541 "\xf1\x54\x6e\x93\xa4\x65\x99\x8e"
33542 "\xdf\x29\xc0\x64\x63\x07\xbb\xea",
33543 .ctext = "\x15\x97\xd0\x86\x18\x03\x9c\x51"
33544 "\xc5\x11\x36\x62\x13\x92\xe6\x73"
33545 "\x29\x79\xde\xa1\x00\x3e\x08\x64"
33546 "\x17\x1a\xbc\xd5\xfe\x33\x0e\x0c"
33547 "\x7c\x94\xa7\xc6\x3c\xbe\xac\xa2"
33548 "\x89\xe6\xbc\xdf\x0c\x33\x27\x42"
33549 "\x46\x73\x2f\xba\x4e\xa6\x46\x8f"
33550 "\xe4\xee\x39\x63\x42\x65\xa3\x88"
33551 "\x7a\xad\x33\x23\xa9\xa7\x20\x7f"
33552 "\x0b\xe6\x6a\xc3\x60\xda\x9e\xb4"
33553 "\xd6\x07\x8a\x77\x26\xd1\xab\x44"
33554 "\x99\x55\x03\x5e\xed\x8d\x7b\xbd"
33555 "\xc8\x21\xb7\x21\x30\x3f\xc0\xb5"
33556 "\xc8\xec\x6c\x23\xa6\xa3\x6d\xf1"
33557 "\x30\x0a\xd0\xa6\xa9\x28\x69\xae"
33558 "\x2a\xe6\x54\xac\x82\x9d\x6a\x95"
33559 "\x6f\x06\x44\xc5\x5a\x77\x6e\xec"
33560 "\xf8\xf8\x63\xb2\xe6\xaa\xbd\x8e"
33561 "\x0e\x8a\x62\x00\x03\xc8\x84\xdd"
33562 "\x47\x4a\xc3\x55\xba\xb7\xe7\xdf"
33563 "\x08\xbf\x62\xf5\xe8\xbc\xb6\x11"
33564 "\xe4\xcb\xd0\x66\x74\x32\xcf\xd4"
33565 "\xf8\x51\x80\x39\x14\x05\x12\xdb"
33566 "\x87\x93\xe2\x26\x30\x9c\x3a\x21"
33567 "\xe5\xd0\x38\x57\x80\x15\xe4\x08"
33568 "\x58\x05\x49\x7d\xe6\x92\x77\x70"
33569 "\xfb\x1e\x2d\x6a\x84\x00\xc8\x68"
33570 "\xf7\x1a\xdd\xf0\x7b\x38\x1e\xd8"
33571 "\x2c\x78\x78\x61\xcf\xe3\xde\x69"
33572 "\x1f\xd5\x03\xd5\x1a\xb4\xcf\x03"
33573 "\xc8\x7a\x70\x68\x35\xb4\xf6\xbe"
33574 "\x90\x62\xb2\x28\x99\x86\xf5\x44"
33575 "\x99\xeb\x31\xcf\xca\xdf\xd0\x21"
33576 "\xd6\x60\xf7\x0f\x40\xb4\x80\xb7"
33577 "\xab\xe1\x9b\x45\xba\x66\xda\xee"
33578 "\xdd\x04\x12\x40\x98\xe1\x69\xe5"
33579 "\x2b\x9c\x59\x80\xe7\x7b\xcc\x63"
33580 "\xa6\xc0\x3a\xa9\xfe\x8a\xf9\x62"
33581 "\x11\x34\x61\x94\x35\xfe\xf2\x99"
33582 "\xfd\xee\x19\xea\x95\xb6\x12\xbf"
33583 "\x1b\xdf\x02\x1a\xcc\x3e\x7e\x65"
33584 "\x78\x74\x10\x50\x29\x63\x28\xea"
33585 "\x6b\xab\xd4\x06\x4d\x15\x24\x31"
33586 "\xc7\x0a\xc9\x16\xb6\x48\xf0\xbf"
33587 "\x49\xdb\x68\x71\x31\x8f\x87\xe2"
33588 "\x13\x05\x64\xd6\x22\x0c\xf8\x36"
33589 "\x84\x24\x3e\x69\x5e\xb8\x9e\x16"
33590 "\x73\x6c\x83\x1e\xe0\x9f\x9e\xba"
33591 "\xe5\x59\x21\x33\x1b\xa9\x26\xc2"
33592 "\xc7\xd9\x30\x73\xb6\xa6\x73\x82"
33593 "\x19\xfa\x44\x4d\x40\x8b\x69\x04"
33594 "\x94\x74\xea\x6e\xb3\x09\x47\x01"
33595 "\x2a\xb9\x78\x34\x43\x11\xed\xd6"
33596 "\x8c\x95\x65\x1b\x85\x67\xa5\x40"
33597 "\xac\x9c\x05\x4b\x57\x4a\xa9\x96"
33598 "\x0f\xdd\x4f\xa1\xe0\xcf\x6e\xc7"
33599 "\x1b\xed\xa2\xb4\x56\x8c\x09\x6e"
33600 "\xa6\x65\xd7\x55\x81\xb7\xed\x11"
33601 "\x9b\x40\x75\xa8\x6b\x56\xaf\x16"
33602 "\x8b\x3d\xf4\xcb\xfe\xd5\x1d\x3d"
33603 "\x85\xc2\xc0\xde\x43\x39\x4a\x96"
33604 "\xba\x88\x97\xc0\xd6\x00\x0e\x27"
33605 "\x21\xb0\x21\x52\xba\xa7\x37\xaa"
33606 "\xcc\xbf\x95\xa8\xf4\xd0\x91\xf6",
33607 .len = 512,
33608 .also_non_np = 1,
33609 .np = 2,
33610 .tap = { 144, 368 },
33611 }
33612};
33613
33614/* Adiantum with XChaCha20 instead of XChaCha12 */
33615/* Test vectors from https://github.com/google/adiantum */
33616static const struct cipher_testvec adiantum_xchacha20_aes_tv_template[] = {
33617 {
33618 .key = "\x9e\xeb\xb2\x49\x3c\x1c\xf5\xf4"
33619 "\x6a\x99\xc2\xc4\xdf\xb1\xf4\xdd"
33620 "\x75\x20\x57\xea\x2c\x4f\xcd\xb2"
33621 "\xa5\x3d\x7b\x49\x1e\xab\xfd\x0f",
33622 .klen = 32,
33623 .iv = "\xdf\x63\xd4\xab\xd2\x49\xf3\xd8"
33624 "\x33\x81\x37\x60\x7d\xfa\x73\x08"
33625 "\xd8\x49\x6d\x80\xe8\x2f\x62\x54"
33626 "\xeb\x0e\xa9\x39\x5b\x45\x7f\x8a",
33627 .ptext = "\x67\xc9\xf2\x30\x84\x41\x8e\x43"
33628 "\xfb\xf3\xb3\x3e\x79\x36\x7f\xe8",
33629 .ctext = "\xf6\x78\x97\xd6\xaa\x94\x01\x27"
33630 "\x2e\x4d\x83\xe0\x6e\x64\x9a\xdf",
33631 .len = 16,
33632 .also_non_np = 1,
33633 .np = 3,
33634 .tap = { 5, 2, 9 },
33635 }, {
33636 .key = "\x36\x2b\x57\x97\xf8\x5d\xcd\x99"
33637 "\x5f\x1a\x5a\x44\x1d\x92\x0f\x27"
33638 "\xcc\x16\xd7\x2b\x85\x63\x99\xd3"
33639 "\xba\x96\xa1\xdb\xd2\x60\x68\xda",
33640 .klen = 32,
33641 .iv = "\xef\x58\x69\xb1\x2c\x5e\x9a\x47"
33642 "\x24\xc1\xb1\x69\xe1\x12\x93\x8f"
33643 "\x43\x3d\x6d\x00\xdb\x5e\xd8\xd9"
33644 "\x12\x9a\xfe\xd9\xff\x2d\xaa\xc4",
33645 .ptext = "\x5e\xa8\x68\x19\x85\x98\x12\x23"
33646 "\x26\x0a\xcc\xdb\x0a\x04\xb9\xdf"
33647 "\x4d\xb3\x48\x7b\xb0\xe3\xc8\x19"
33648 "\x43\x5a\x46\x06\x94\x2d\xf2",
33649 .ctext = "\x4b\xb8\x90\x10\xdf\x7f\x64\x08"
33650 "\x0e\x14\x42\x5f\x00\x74\x09\x36"
33651 "\x57\x72\xb5\xfd\xb5\x5d\xb8\x28"
33652 "\x0c\x04\x91\x14\x91\xe9\x37",
33653 .len = 31,
33654 .also_non_np = 1,
33655 .np = 2,
33656 .tap = { 16, 15 },
33657 }, {
33658 .key = "\xa5\x28\x24\x34\x1a\x3c\xd8\xf7"
33659 "\x05\x91\x8f\xee\x85\x1f\x35\x7f"
33660 "\x80\x3d\xfc\x9b\x94\xf6\xfc\x9e"
33661 "\x19\x09\x00\xa9\x04\x31\x4f\x11",
33662 .klen = 32,
33663 .iv = "\xa1\xba\x49\x95\xff\x34\x6d\xb8"
33664 "\xcd\x87\x5d\x5e\xfd\xea\x85\xdb"
33665 "\x8a\x7b\x5e\xb2\x5d\x57\xdd\x62"
33666 "\xac\xa9\x8c\x41\x42\x94\x75\xb7",
33667 .ptext = "\x69\xb4\xe8\x8c\x37\xe8\x67\x82"
33668 "\xf1\xec\x5d\x04\xe5\x14\x91\x13"
33669 "\xdf\xf2\x87\x1b\x69\x81\x1d\x71"
33670 "\x70\x9e\x9c\x3b\xde\x49\x70\x11"
33671 "\xa0\xa3\xdb\x0d\x54\x4f\x66\x69"
33672 "\xd7\xdb\x80\xa7\x70\x92\x68\xce"
33673 "\x81\x04\x2c\xc6\xab\xae\xe5\x60"
33674 "\x15\xe9\x6f\xef\xaa\x8f\xa7\xa7"
33675 "\x63\x8f\xf2\xf0\x77\xf1\xa8\xea"
33676 "\xe1\xb7\x1f\x9e\xab\x9e\x4b\x3f"
33677 "\x07\x87\x5b\x6f\xcd\xa8\xaf\xb9"
33678 "\xfa\x70\x0b\x52\xb8\xa8\xa7\x9e"
33679 "\x07\x5f\xa6\x0e\xb3\x9b\x79\x13"
33680 "\x79\xc3\x3e\x8d\x1c\x2c\x68\xc8"
33681 "\x51\x1d\x3c\x7b\x7d\x79\x77\x2a"
33682 "\x56\x65\xc5\x54\x23\x28\xb0\x03",
33683 .ctext = "\xb1\x8b\xa0\x05\x77\xa8\x4d\x59"
33684 "\x1b\x8e\x21\xfc\x3a\x49\xfa\xd4"
33685 "\xeb\x36\xf3\xc4\xdf\xdc\xae\x67"
33686 "\x07\x3f\x70\x0e\xe9\x66\xf5\x0c"
33687 "\x30\x4d\x66\xc9\xa4\x2f\x73\x9c"
33688 "\x13\xc8\x49\x44\xcc\x0a\x90\x9d"
33689 "\x7c\xdd\x19\x3f\xea\x72\x8d\x58"
33690 "\xab\xe7\x09\x2c\xec\xb5\x44\xd2"
33691 "\xca\xa6\x2d\x7a\x5c\x9c\x2b\x15"
33692 "\xec\x2a\xa6\x69\x91\xf9\xf3\x13"
33693 "\xf7\x72\xc1\xc1\x40\xd5\xe1\x94"
33694 "\xf4\x29\xa1\x3e\x25\x02\xa8\x3e"
33695 "\x94\xc1\x91\x14\xa1\x14\xcb\xbe"
33696 "\x67\x4c\xb9\x38\xfe\xa7\xaa\x32"
33697 "\x29\x62\x0d\xb2\xf6\x3c\x58\x57"
33698 "\xc1\xd5\x5a\xbb\xd6\xa6\x2a\xe5",
33699 .len = 128,
33700 .also_non_np = 1,
33701 .np = 4,
33702 .tap = { 112, 7, 8, 1 },
33703 }, {
33704 .key = "\xd3\x81\x72\x18\x23\xff\x6f\x4a"
33705 "\x25\x74\x29\x0d\x51\x8a\x0e\x13"
33706 "\xc1\x53\x5d\x30\x8d\xee\x75\x0d"
33707 "\x14\xd6\x69\xc9\x15\xa9\x0c\x60",
33708 .klen = 32,
33709 .iv = "\x65\x9b\xd4\xa8\x7d\x29\x1d\xf4"
33710 "\xc4\xd6\x9b\x6a\x28\xab\x64\xe2"
33711 "\x62\x81\x97\xc5\x81\xaa\xf9\x44"
33712 "\xc1\x72\x59\x82\xaf\x16\xc8\x2c",
33713 .ptext = "\xc7\x6b\x52\x6a\x10\xf0\xcc\x09"
33714 "\xc1\x12\x1d\x6d\x21\xa6\x78\xf5"
33715 "\x05\xa3\x69\x60\x91\x36\x98\x57"
33716 "\xba\x0c\x14\xcc\xf3\x2d\x73\x03"
33717 "\xc6\xb2\x5f\xc8\x16\x27\x37\x5d"
33718 "\xd0\x0b\x87\xb2\x50\x94\x7b\x58"
33719 "\x04\xf4\xe0\x7f\x6e\x57\x8e\xc9"
33720 "\x41\x84\xc1\xb1\x7e\x4b\x91\x12"
33721 "\x3a\x8b\x5d\x50\x82\x7b\xcb\xd9"
33722 "\x9a\xd9\x4e\x18\x06\x23\x9e\xd4"
33723 "\xa5\x20\x98\xef\xb5\xda\xe5\xc0"
33724 "\x8a\x6a\x83\x77\x15\x84\x1e\xae"
33725 "\x78\x94\x9d\xdf\xb7\xd1\xea\x67"
33726 "\xaa\xb0\x14\x15\xfa\x67\x21\x84"
33727 "\xd3\x41\x2a\xce\xba\x4b\x4a\xe8"
33728 "\x95\x62\xa9\x55\xf0\x80\xad\xbd"
33729 "\xab\xaf\xdd\x4f\xa5\x7c\x13\x36"
33730 "\xed\x5e\x4f\x72\xad\x4b\xf1\xd0"
33731 "\x88\x4e\xec\x2c\x88\x10\x5e\xea"
33732 "\x12\xc0\x16\x01\x29\xa3\xa0\x55"
33733 "\xaa\x68\xf3\xe9\x9d\x3b\x0d\x3b"
33734 "\x6d\xec\xf8\xa0\x2d\xf0\x90\x8d"
33735 "\x1c\xe2\x88\xd4\x24\x71\xf9\xb3"
33736 "\xc1\x9f\xc5\xd6\x76\x70\xc5\x2e"
33737 "\x9c\xac\xdb\x90\xbd\x83\x72\xba"
33738 "\x6e\xb5\xa5\x53\x83\xa9\xa5\xbf"
33739 "\x7d\x06\x0e\x3c\x2a\xd2\x04\xb5"
33740 "\x1e\x19\x38\x09\x16\xd2\x82\x1f"
33741 "\x75\x18\x56\xb8\x96\x0b\xa6\xf9"
33742 "\xcf\x62\xd9\x32\x5d\xa9\xd7\x1d"
33743 "\xec\xe4\xdf\x1b\xbe\xf1\x36\xee"
33744 "\xe3\x7b\xb5\x2f\xee\xf8\x53\x3d"
33745 "\x6a\xb7\x70\xa9\xfc\x9c\x57\x25"
33746 "\xf2\x89\x10\xd3\xb8\xa8\x8c\x30"
33747 "\xae\x23\x4f\x0e\x13\x66\x4f\xe1"
33748 "\xb6\xc0\xe4\xf8\xef\x93\xbd\x6e"
33749 "\x15\x85\x6b\xe3\x60\x81\x1d\x68"
33750 "\xd7\x31\x87\x89\x09\xab\xd5\x96"
33751 "\x1d\xf3\x6d\x67\x80\xca\x07\x31"
33752 "\x5d\xa7\xe4\xfb\x3e\xf2\x9b\x33"
33753 "\x52\x18\xc8\x30\xfe\x2d\xca\x1e"
33754 "\x79\x92\x7a\x60\x5c\xb6\x58\x87"
33755 "\xa4\x36\xa2\x67\x92\x8b\xa4\xb7"
33756 "\xf1\x86\xdf\xdc\xc0\x7e\x8f\x63"
33757 "\xd2\xa2\xdc\x78\xeb\x4f\xd8\x96"
33758 "\x47\xca\xb8\x91\xf9\xf7\x94\x21"
33759 "\x5f\x9a\x9f\x5b\xb8\x40\x41\x4b"
33760 "\x66\x69\x6a\x72\xd0\xcb\x70\xb7"
33761 "\x93\xb5\x37\x96\x05\x37\x4f\xe5"
33762 "\x8c\xa7\x5a\x4e\x8b\xb7\x84\xea"
33763 "\xc7\xfc\x19\x6e\x1f\x5a\xa1\xac"
33764 "\x18\x7d\x52\x3b\xb3\x34\x62\x99"
33765 "\xe4\x9e\x31\x04\x3f\xc0\x8d\x84"
33766 "\x17\x7c\x25\x48\x52\x67\x11\x27"
33767 "\x67\xbb\x5a\x85\xca\x56\xb2\x5c"
33768 "\xe6\xec\xd5\x96\x3d\x15\xfc\xfb"
33769 "\x22\x25\xf4\x13\xe5\x93\x4b\x9a"
33770 "\x77\xf1\x52\x18\xfa\x16\x5e\x49"
33771 "\x03\x45\xa8\x08\xfa\xb3\x41\x92"
33772 "\x79\x50\x33\xca\xd0\xd7\x42\x55"
33773 "\xc3\x9a\x0c\x4e\xd9\xa4\x3c\x86"
33774 "\x80\x9f\x53\xd1\xa4\x2e\xd1\xbc"
33775 "\xf1\x54\x6e\x93\xa4\x65\x99\x8e"
33776 "\xdf\x29\xc0\x64\x63\x07\xbb\xea",
33777 .ctext = "\xe0\x33\xf6\xe0\xb4\xa5\xdd\x2b"
33778 "\xdd\xce\xfc\x12\x1e\xfc\x2d\xf2"
33779 "\x8b\xc7\xeb\xc1\xc4\x2a\xe8\x44"
33780 "\x0f\x3d\x97\x19\x2e\x6d\xa2\x38"
33781 "\x9d\xa6\xaa\xe1\x96\xb9\x08\xe8"
33782 "\x0b\x70\x48\x5c\xed\xb5\x9b\xcb"
33783 "\x8b\x40\x88\x7e\x69\x73\xf7\x16"
33784 "\x71\xbb\x5b\xfc\xa3\x47\x5d\xa6"
33785 "\xae\x3a\x64\xc4\xe7\xb8\xa8\xe7"
33786 "\xb1\x32\x19\xdb\xe3\x01\xb8\xf0"
33787 "\xa4\x86\xb4\x4c\xc2\xde\x5c\xd2"
33788 "\x6c\x77\xd2\xe8\x18\xb7\x0a\xc9"
33789 "\x3d\x53\xb5\xc4\x5c\xf0\x8c\x06"
33790 "\xdc\x90\xe0\x74\x47\x1b\x0b\xf6"
33791 "\xd2\x71\x6b\xc4\xf1\x97\x00\x2d"
33792 "\x63\x57\x44\x1f\x8c\xf4\xe6\x9b"
33793 "\xe0\x7a\xdd\xec\x32\x73\x42\x32"
33794 "\x7f\x35\x67\x60\x0d\xcf\x10\x52"
33795 "\x61\x22\x53\x8d\x8e\xbb\x33\x76"
33796 "\x59\xd9\x10\xce\xdf\xef\xc0\x41"
33797 "\xd5\x33\x29\x6a\xda\x46\xa4\x51"
33798 "\xf0\x99\x3d\x96\x31\xdd\xb5\xcb"
33799 "\x3e\x2a\x1f\xc7\x5c\x79\xd3\xc5"
33800 "\x20\xa1\xb1\x39\x1b\xc6\x0a\x70"
33801 "\x26\x39\x95\x07\xad\x7a\xc9\x69"
33802 "\xfe\x81\xc7\x88\x08\x38\xaf\xad"
33803 "\x9e\x8d\xfb\xe8\x24\x0d\x22\xb8"
33804 "\x0e\xed\xbe\x37\x53\x7c\xa6\xc6"
33805 "\x78\x62\xec\xa3\x59\xd9\xc6\x9d"
33806 "\xb8\x0e\x69\x77\x84\x2d\x6a\x4c"
33807 "\xc5\xd9\xb2\xa0\x2b\xa8\x80\xcc"
33808 "\xe9\x1e\x9c\x5a\xc4\xa1\xb2\x37"
33809 "\x06\x9b\x30\x32\x67\xf7\xe7\xd2"
33810 "\x42\xc7\xdf\x4e\xd4\xcb\xa0\x12"
33811 "\x94\xa1\x34\x85\x93\x50\x4b\x0a"
33812 "\x3c\x7d\x49\x25\x01\x41\x6b\x96"
33813 "\xa9\x12\xbb\x0b\xc0\xd7\xd0\x93"
33814 "\x1f\x70\x38\xb8\x21\xee\xf6\xa7"
33815 "\xee\xeb\xe7\x81\xa4\x13\xb4\x87"
33816 "\xfa\xc1\xb0\xb5\x37\x8b\x74\xa2"
33817 "\x4e\xc7\xc2\xad\x3d\x62\x3f\xf8"
33818 "\x34\x42\xe5\xae\x45\x13\x63\xfe"
33819 "\xfc\x2a\x17\x46\x61\xa9\xd3\x1c"
33820 "\x4c\xaf\xf0\x09\x62\x26\x66\x1e"
33821 "\x74\xcf\xd6\x68\x3d\x7d\xd8\xb7"
33822 "\xe7\xe6\xf8\xf0\x08\x20\xf7\x47"
33823 "\x1c\x52\xaa\x0f\x3e\x21\xa3\xf2"
33824 "\xbf\x2f\x95\x16\xa8\xc8\xc8\x8c"
33825 "\x99\x0f\x5d\xfb\xfa\x2b\x58\x8a"
33826 "\x7e\xd6\x74\x02\x60\xf0\xd0\x5b"
33827 "\x65\xa8\xac\xea\x8d\x68\x46\x34"
33828 "\x26\x9d\x4f\xb1\x9a\x8e\xc0\x1a"
33829 "\xf1\xed\xc6\x7a\x83\xfd\x8a\x57"
33830 "\xf2\xe6\xe4\xba\xfc\xc6\x3c\xad"
33831 "\x5b\x19\x50\x2f\x3a\xcc\x06\x46"
33832 "\x04\x51\x3f\x91\x97\xf0\xd2\x07"
33833 "\xe7\x93\x89\x7e\xb5\x32\x0f\x03"
33834 "\xe5\x58\x9e\x74\x72\xeb\xc2\x38"
33835 "\x00\x0c\x91\x72\x69\xed\x7d\x6d"
33836 "\xc8\x71\xf0\xec\xff\x80\xd9\x1c"
33837 "\x9e\xd2\xfa\x15\xfc\x6c\x4e\xbc"
33838 "\xb1\xa6\xbd\xbd\x70\x40\xca\x20"
33839 "\xb8\x78\xd2\xa3\xc6\xf3\x79\x9c"
33840 "\xc7\x27\xe1\x6a\x29\xad\xa4\x03",
33841 .len = 512,
33842 }
33843};
33844
33384/* 33845/*
33385 * CTS (Cipher Text Stealing) mode tests 33846 * CTS (Cipher Text Stealing) mode tests
33386 */ 33847 */
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-31 13:57:08 -0400