linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" 
	<linux-crypto@vger.kernel.org>,
	linux-fscrypt@vger.kernel.org,
	linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Paul Crowley <paulcrowley@google.com>,
	Greg Kaiser <gkaiser@google.com>,
	Michael Halcrow <mhalcrow@google.com>,
	"Jason A . Donenfeld" <Jason@zx2c4.com>,
	Samuel Neves <samuel.c.p.neves@gmail.com>,
	Tomer Ashur <tomer.ashur@esat.kuleuven.be>
Subject: Re: [RFC PATCH v2 02/12] crypto: chacha20-generic - add XChaCha20 support
Date: Fri, 19 Oct 2018 22:24:28 +0800	[thread overview]
Message-ID: <CAKv+Gu8WnYpSiQuPPSzhxPe5xqwq779o9HWeDaoKxTJR5UFUCA@mail.gmail.com> (raw)
In-Reply-To: <20181015175424.97147-3-ebiggers@kernel.org>

On 16 October 2018 at 01:54, Eric Biggers <ebiggers@kernel.org> wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Add support for the XChaCha20 stream cipher.  XChaCha20 is the
> application of the XSalsa20 construction
> (https://cr.yp.to/snuffle/xsalsa-20081128.pdf) to ChaCha20 rather than
> to Salsa20.  XChaCha20 extends ChaCha20's nonce length from 64 bits (or
> 96 bits, depending on convention) to 192 bits, while provably retaining
> ChaCha20's security.  XChaCha20 uses the ChaCha20 permutation to map the
> key and first 128 nonce bits to a 256-bit subkey.  Then, it does the
> ChaCha20 stream cipher with the subkey and remaining 64 bits of nonce.
>
> We need XChaCha support in order to add support for the Adiantum
> encryption mode.  Note that to meet our performance requirements, we
> actually plan to primarily use the variant XChaCha12.  But we believe
> it's wise to first add XChaCha20 as a baseline with a higher security
> margin, in case there are any situations where it can be used.
> Supporting both variants is straightforward.
>
> Since XChaCha20's subkey differs for each request, XChaCha20 can't be a
> template that wraps ChaCha20; that would require re-keying the
> underlying ChaCha20 for every request, which wouldn't be thread-safe.
> Instead, we make XChaCha20 its own top-level algorithm which calls the
> ChaCha20 streaming implementation internally.
>
> Similar to the existing ChaCha20 implementation, we define the IV to be
> the nonce and stream position concatenated together.  This allows users
> to seek to any position in the stream.
>
> I considered splitting the code into separate chacha20-common, chacha20,
> and xchacha20 modules, so that chacha20 and xchacha20 could be
> enabled/disabled independently.  However, since nearly all the code is
> shared anyway, I ultimately decided there would have been little benefit
> to the added complexity of separate modules.
>
> Signed-off-by: Eric Biggers <ebiggers@google.com>

One nit below but that should be fixed separately, so

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

> ---
>  crypto/Kconfig            |  14 +-
>  crypto/chacha20_generic.c | 120 +++++---
>  crypto/testmgr.c          |   6 +
>  crypto/testmgr.h          | 577 ++++++++++++++++++++++++++++++++++++++
>  include/crypto/chacha20.h |  14 +-
>  5 files changed, 689 insertions(+), 42 deletions(-)
>
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index f7a235db56aaa..d9acbce23d4d5 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -1387,18 +1387,22 @@ config CRYPTO_SALSA20
>           Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
>
>  config CRYPTO_CHACHA20
> -       tristate "ChaCha20 cipher algorithm"
> +       tristate "ChaCha20 stream cipher algorithms"
>         select CRYPTO_BLKCIPHER
>         help
> -         ChaCha20 cipher algorithm, RFC7539.
> +         The ChaCha20 and XChaCha20 stream cipher algorithms.
>
>           ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
>           Bernstein and further specified in RFC7539 for use in IETF protocols.
> -         This is the portable C implementation of ChaCha20.
> -
> -         See also:
> +         This is the portable C implementation of ChaCha20.  See also:
>           <http://cr.yp.to/chacha/chacha-20080128.pdf>
>
> +         XChaCha20 is the application of the XSalsa20 construction to ChaCha20
> +         rather than to Salsa20.  XChaCha20 extends ChaCha20's nonce length
> +         from 64 bits (or 96 bits using the RFC7539 convention) to 192 bits,
> +         while provably retaining ChaCha20's security.  See also:
> +         <https://cr.yp.to/snuffle/xsalsa-20081128.pdf>
> +
>  config CRYPTO_CHACHA20_X86_64
>         tristate "ChaCha20 cipher algorithm (x86_64/SSSE3/AVX2)"
>         depends on X86 && 64BIT
> diff --git a/crypto/chacha20_generic.c b/crypto/chacha20_generic.c
> index 3ae96587caf9a..07902fe37aeb8 100644
> --- a/crypto/chacha20_generic.c
> +++ b/crypto/chacha20_generic.c
> @@ -1,7 +1,8 @@
>  /*
> - * ChaCha20 256-bit cipher algorithm, RFC7539
> + * ChaCha20 (RFC7539) and XChaCha20 stream cipher algorithms
>   *
>   * Copyright (C) 2015 Martin Willi
> + * Copyright (C) 2018 Google LLC
>   *
>   * This program is free software; you can redistribute it and/or modify
>   * it under the terms of the GNU General Public License as published by
> @@ -36,6 +37,31 @@ static void chacha20_docrypt(u32 *state, u8 *dst, const u8 *src,
>         }
>  }
>
> +static int chacha20_stream_xor(struct skcipher_request *req,
> +                              struct chacha20_ctx *ctx, u8 *iv)
> +{
> +       struct skcipher_walk walk;
> +       u32 state[16];
> +       int err;
> +
> +       err = skcipher_walk_virt(&walk, req, true);
> +

We shouldn't be calling skcipher_walk_virt() here with atomic set to
true, but that is an existing issue so perhaps you could include a
separate patch to fix that?

> +       crypto_chacha20_init(state, ctx, iv);
> +
> +       while (walk.nbytes > 0) {
> +               unsigned int nbytes = walk.nbytes;
> +
> +               if (nbytes < walk.total)
> +                       nbytes = round_down(nbytes, walk.stride);
> +
> +               chacha20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
> +                                nbytes);
> +               err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
> +       }
> +
> +       return err;
> +}
> +
>  void crypto_chacha20_init(u32 *state, struct chacha20_ctx *ctx, u8 *iv)
>  {
>         state[0]  = 0x61707865; /* "expa" */
> @@ -77,54 +103,74 @@ int crypto_chacha20_crypt(struct skcipher_request *req)
>  {
>         struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
>         struct chacha20_ctx *ctx = crypto_skcipher_ctx(tfm);
> -       struct skcipher_walk walk;
> -       u32 state[16];
> -       int err;
> -
> -       err = skcipher_walk_virt(&walk, req, true);
>
> -       crypto_chacha20_init(state, ctx, walk.iv);
> +       return chacha20_stream_xor(req, ctx, req->iv);
> +}
> +EXPORT_SYMBOL_GPL(crypto_chacha20_crypt);
>
> -       while (walk.nbytes > 0) {
> -               unsigned int nbytes = walk.nbytes;
> +int crypto_xchacha20_crypt(struct skcipher_request *req)
> +{
> +       struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
> +       struct chacha20_ctx *ctx = crypto_skcipher_ctx(tfm);
> +       struct chacha20_ctx subctx;
> +       u32 state[16];
> +       u8 real_iv[16];
>
> -               if (nbytes < walk.total)
> -                       nbytes = round_down(nbytes, walk.stride);
> +       /* Compute the subkey given the original key and first 128 nonce bits */
> +       crypto_chacha20_init(state, ctx, req->iv);
> +       hchacha20_block(state, subctx.key);
>
> -               chacha20_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
> -                                nbytes);
> -               err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
> -       }
> +       /* Build the real IV */
> +       memcpy(&real_iv[0], req->iv + 24, 8); /* stream position */
> +       memcpy(&real_iv[8], req->iv + 16, 8); /* remaining 64 nonce bits */
>
> -       return err;
> +       /* Generate the stream and XOR it with the data */
> +       return chacha20_stream_xor(req, &subctx, real_iv);
>  }
> -EXPORT_SYMBOL_GPL(crypto_chacha20_crypt);
> -
> -static struct skcipher_alg alg = {
> -       .base.cra_name          = "chacha20",
> -       .base.cra_driver_name   = "chacha20-generic",
> -       .base.cra_priority      = 100,
> -       .base.cra_blocksize     = 1,
> -       .base.cra_ctxsize       = sizeof(struct chacha20_ctx),
> -       .base.cra_module        = THIS_MODULE,
> -
> -       .min_keysize            = CHACHA20_KEY_SIZE,
> -       .max_keysize            = CHACHA20_KEY_SIZE,
> -       .ivsize                 = CHACHA20_IV_SIZE,
> -       .chunksize              = CHACHA20_BLOCK_SIZE,
> -       .setkey                 = crypto_chacha20_setkey,
> -       .encrypt                = crypto_chacha20_crypt,
> -       .decrypt                = crypto_chacha20_crypt,
> +EXPORT_SYMBOL_GPL(crypto_xchacha20_crypt);
> +
> +static struct skcipher_alg algs[] = {
> +       {
> +               .base.cra_name          = "chacha20",
> +               .base.cra_driver_name   = "chacha20-generic",
> +               .base.cra_priority      = 100,
> +               .base.cra_blocksize     = 1,
> +               .base.cra_ctxsize       = sizeof(struct chacha20_ctx),
> +               .base.cra_module        = THIS_MODULE,
> +
> +               .min_keysize            = CHACHA20_KEY_SIZE,
> +               .max_keysize            = CHACHA20_KEY_SIZE,
> +               .ivsize                 = CHACHA20_IV_SIZE,
> +               .chunksize              = CHACHA20_BLOCK_SIZE,
> +               .setkey                 = crypto_chacha20_setkey,
> +               .encrypt                = crypto_chacha20_crypt,
> +               .decrypt                = crypto_chacha20_crypt,
> +       }, {
> +               .base.cra_name          = "xchacha20",
> +               .base.cra_driver_name   = "xchacha20-generic",
> +               .base.cra_priority      = 100,
> +               .base.cra_blocksize     = 1,
> +               .base.cra_ctxsize       = sizeof(struct chacha20_ctx),
> +               .base.cra_module        = THIS_MODULE,
> +
> +               .min_keysize            = CHACHA20_KEY_SIZE,
> +               .max_keysize            = CHACHA20_KEY_SIZE,
> +               .ivsize                 = XCHACHA20_IV_SIZE,
> +               .chunksize              = CHACHA20_BLOCK_SIZE,
> +               .setkey                 = crypto_chacha20_setkey,
> +               .encrypt                = crypto_xchacha20_crypt,
> +               .decrypt                = crypto_xchacha20_crypt,
> +       }
>  };
>
>  static int __init chacha20_generic_mod_init(void)
>  {
> -       return crypto_register_skcipher(&alg);
> +       return crypto_register_skciphers(algs, ARRAY_SIZE(algs));
>  }
>
>  static void __exit chacha20_generic_mod_fini(void)
>  {
> -       crypto_unregister_skcipher(&alg);
> +       crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
>  }
>
>  module_init(chacha20_generic_mod_init);
> @@ -132,6 +178,8 @@ module_exit(chacha20_generic_mod_fini);
>
>  MODULE_LICENSE("GPL");
>  MODULE_AUTHOR("Martin Willi <martin@strongswan.org>");
> -MODULE_DESCRIPTION("chacha20 cipher algorithm");
> +MODULE_DESCRIPTION("ChaCha20 and XChaCha20 stream ciphers (generic)");
>  MODULE_ALIAS_CRYPTO("chacha20");
>  MODULE_ALIAS_CRYPTO("chacha20-generic");
> +MODULE_ALIAS_CRYPTO("xchacha20");
> +MODULE_ALIAS_CRYPTO("xchacha20-generic");
> diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> index b1f79c6bf4096..a5512e69c8f31 100644
> --- a/crypto/testmgr.c
> +++ b/crypto/testmgr.c
> @@ -3544,6 +3544,12 @@ static const struct alg_test_desc alg_test_descs[] = {
>                 .suite = {
>                         .hash = __VECS(aes_xcbc128_tv_template)
>                 }
> +       }, {
> +               .alg = "xchacha20",
> +               .test = alg_test_skcipher,
> +               .suite = {
> +                       .cipher = __VECS(xchacha20_tv_template)
> +               },
>         }, {
>                 .alg = "xts(aes)",
>                 .test = alg_test_skcipher,
> diff --git a/crypto/testmgr.h b/crypto/testmgr.h
> index 1fe7b97ba03f9..371641c73cf8c 100644
> --- a/crypto/testmgr.h
> +++ b/crypto/testmgr.h
> @@ -30802,6 +30802,583 @@ static const struct cipher_testvec chacha20_tv_template[] = {
>         },
>  };
>
> +static const struct cipher_testvec xchacha20_tv_template[] = {
> +       { /* from libsodium test/default/xchacha20.c */
> +               .key    = "\x79\xc9\x97\x98\xac\x67\x30\x0b"
> +                         "\xbb\x27\x04\xc9\x5c\x34\x1e\x32"
> +                         "\x45\xf3\xdc\xb2\x17\x61\xb9\x8e"
> +                         "\x52\xff\x45\xb2\x4f\x30\x4f\xc4",
> +               .klen   = 32,
> +               .iv     = "\xb3\x3f\xfd\x30\x96\x47\x9b\xcf"
> +                         "\xbc\x9a\xee\x49\x41\x76\x88\xa0"
> +                         "\xa2\x55\x4f\x8d\x95\x38\x94\x19"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00",
> +               .ptext  = "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00",
> +               .ctext  = "\xc6\xe9\x75\x81\x60\x08\x3a\xc6"
> +                         "\x04\xef\x90\xe7\x12\xce\x6e\x75"
> +                         "\xd7\x79\x75\x90\x74\x4e\x0c\xf0"
> +                         "\x60\xf0\x13\x73\x9c",
> +               .len    = 29,
> +       }, { /* from libsodium test/default/xchacha20.c */
> +               .key    = "\x9d\x23\xbd\x41\x49\xcb\x97\x9c"
> +                         "\xcf\x3c\x5c\x94\xdd\x21\x7e\x98"
> +                         "\x08\xcb\x0e\x50\xcd\x0f\x67\x81"
> +                         "\x22\x35\xea\xaf\x60\x1d\x62\x32",
> +               .klen   = 32,
> +               .iv     = "\xc0\x47\x54\x82\x66\xb7\xc3\x70"
> +                         "\xd3\x35\x66\xa2\x42\x5c\xbf\x30"
> +                         "\xd8\x2d\x1e\xaf\x52\x94\x10\x9e"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00",
> +               .ptext  = "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00",
> +               .ctext  = "\xa2\x12\x09\x09\x65\x94\xde\x8c"
> +                         "\x56\x67\xb1\xd1\x3a\xd9\x3f\x74"
> +                         "\x41\x06\xd0\x54\xdf\x21\x0e\x47"
> +                         "\x82\xcd\x39\x6f\xec\x69\x2d\x35"
> +                         "\x15\xa2\x0b\xf3\x51\xee\xc0\x11"
> +                         "\xa9\x2c\x36\x78\x88\xbc\x46\x4c"
> +                         "\x32\xf0\x80\x7a\xcd\x6c\x20\x3a"
> +                         "\x24\x7e\x0d\xb8\x54\x14\x84\x68"
> +                         "\xe9\xf9\x6b\xee\x4c\xf7\x18\xd6"
> +                         "\x8d\x5f\x63\x7c\xbd\x5a\x37\x64"
> +                         "\x57\x78\x8e\x6f\xae\x90\xfc\x31"
> +                         "\x09\x7c\xfc",
> +               .len    = 91,
> +       }, { /* Taken from the ChaCha20 test vectors, appended 16 random bytes
> +               to nonce, and recomputed the ciphertext with libsodium */
> +               .key    = "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00",
> +               .klen   = 32,
> +               .iv     = "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x67\xc6\x69\x73"
> +                         "\x51\xff\x4a\xec\x29\xcd\xba\xab"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00",
> +               .ptext  = "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00",
> +               .ctext  = "\x9c\x49\x2a\xe7\x8a\x2f\x93\xc7"
> +                         "\xb3\x33\x6f\x82\x17\xd8\xc4\x1e"
> +                         "\xad\x80\x11\x11\x1d\x4c\x16\x18"
> +                         "\x07\x73\x9b\x4f\xdb\x7c\xcb\x47"
> +                         "\xfd\xef\x59\x74\xfa\x3f\xe5\x4c"
> +                         "\x9b\xd0\xea\xbc\xba\x56\xad\x32"
> +                         "\x03\xdc\xf8\x2b\xc1\xe1\x75\x67"
> +                         "\x23\x7b\xe6\xfc\xd4\x03\x86\x54",
> +               .len    = 64,
> +       }, { /* Taken from the ChaCha20 test vectors, appended 16 random bytes
> +               to nonce, and recomputed the ciphertext with libsodium */
> +               .key    = "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x00\x00\x00\x00\x01",
> +               .klen   = 32,
> +               .iv     = "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x02\xf2\xfb\xe3\x46"
> +                         "\x7c\xc2\x54\xf8\x1b\xe8\xe7\x8d"
> +                         "\x01\x00\x00\x00\x00\x00\x00\x00",
> +               .ptext  = "\x41\x6e\x79\x20\x73\x75\x62\x6d"
> +                         "\x69\x73\x73\x69\x6f\x6e\x20\x74"
> +                         "\x6f\x20\x74\x68\x65\x20\x49\x45"
> +                         "\x54\x46\x20\x69\x6e\x74\x65\x6e"
> +                         "\x64\x65\x64\x20\x62\x79\x20\x74"
> +                         "\x68\x65\x20\x43\x6f\x6e\x74\x72"
> +                         "\x69\x62\x75\x74\x6f\x72\x20\x66"
> +                         "\x6f\x72\x20\x70\x75\x62\x6c\x69"
> +                         "\x63\x61\x74\x69\x6f\x6e\x20\x61"
> +                         "\x73\x20\x61\x6c\x6c\x20\x6f\x72"
> +                         "\x20\x70\x61\x72\x74\x20\x6f\x66"
> +                         "\x20\x61\x6e\x20\x49\x45\x54\x46"
> +                         "\x20\x49\x6e\x74\x65\x72\x6e\x65"
> +                         "\x74\x2d\x44\x72\x61\x66\x74\x20"
> +                         "\x6f\x72\x20\x52\x46\x43\x20\x61"
> +                         "\x6e\x64\x20\x61\x6e\x79\x20\x73"
> +                         "\x74\x61\x74\x65\x6d\x65\x6e\x74"
> +                         "\x20\x6d\x61\x64\x65\x20\x77\x69"
> +                         "\x74\x68\x69\x6e\x20\x74\x68\x65"
> +                         "\x20\x63\x6f\x6e\x74\x65\x78\x74"
> +                         "\x20\x6f\x66\x20\x61\x6e\x20\x49"
> +                         "\x45\x54\x46\x20\x61\x63\x74\x69"
> +                         "\x76\x69\x74\x79\x20\x69\x73\x20"
> +                         "\x63\x6f\x6e\x73\x69\x64\x65\x72"
> +                         "\x65\x64\x20\x61\x6e\x20\x22\x49"
> +                         "\x45\x54\x46\x20\x43\x6f\x6e\x74"
> +                         "\x72\x69\x62\x75\x74\x69\x6f\x6e"
> +                         "\x22\x2e\x20\x53\x75\x63\x68\x20"
> +                         "\x73\x74\x61\x74\x65\x6d\x65\x6e"
> +                         "\x74\x73\x20\x69\x6e\x63\x6c\x75"
> +                         "\x64\x65\x20\x6f\x72\x61\x6c\x20"
> +                         "\x73\x74\x61\x74\x65\x6d\x65\x6e"
> +                         "\x74\x73\x20\x69\x6e\x20\x49\x45"
> +                         "\x54\x46\x20\x73\x65\x73\x73\x69"
> +                         "\x6f\x6e\x73\x2c\x20\x61\x73\x20"
> +                         "\x77\x65\x6c\x6c\x20\x61\x73\x20"
> +                         "\x77\x72\x69\x74\x74\x65\x6e\x20"
> +                         "\x61\x6e\x64\x20\x65\x6c\x65\x63"
> +                         "\x74\x72\x6f\x6e\x69\x63\x20\x63"
> +                         "\x6f\x6d\x6d\x75\x6e\x69\x63\x61"
> +                         "\x74\x69\x6f\x6e\x73\x20\x6d\x61"
> +                         "\x64\x65\x20\x61\x74\x20\x61\x6e"
> +                         "\x79\x20\x74\x69\x6d\x65\x20\x6f"
> +                         "\x72\x20\x70\x6c\x61\x63\x65\x2c"
> +                         "\x20\x77\x68\x69\x63\x68\x20\x61"
> +                         "\x72\x65\x20\x61\x64\x64\x72\x65"
> +                         "\x73\x73\x65\x64\x20\x74\x6f",
> +               .ctext  = "\xf9\xab\x7a\x4a\x60\xb8\x5f\xa0"
> +                         "\x50\xbb\x57\xce\xef\x8c\xc1\xd9"
> +                         "\x24\x15\xb3\x67\x5e\x7f\x01\xf6"
> +                         "\x1c\x22\xf6\xe5\x71\xb1\x43\x64"
> +                         "\x63\x05\xd5\xfc\x5c\x3d\xc0\x0e"
> +                         "\x23\xef\xd3\x3b\xd9\xdc\x7f\xa8"
> +                         "\x58\x26\xb3\xd0\xc2\xd5\x04\x3f"
> +                         "\x0a\x0e\x8f\x17\xe4\xcd\xf7\x2a"
> +                         "\xb4\x2c\x09\xe4\x47\xec\x8b\xfb"
> +                         "\x59\x37\x7a\xa1\xd0\x04\x7e\xaa"
> +                         "\xf1\x98\x5f\x24\x3d\x72\x9a\x43"
> +                         "\xa4\x36\x51\x92\x22\x87\xff\x26"
> +                         "\xce\x9d\xeb\x59\x78\x84\x5e\x74"
> +                         "\x97\x2e\x63\xc0\xef\x29\xf7\x8a"
> +                         "\xb9\xee\x35\x08\x77\x6a\x35\x9a"
> +                         "\x3e\xe6\x4f\x06\x03\x74\x1b\xc1"
> +                         "\x5b\xb3\x0b\x89\x11\x07\xd3\xb7"
> +                         "\x53\xd6\x25\x04\xd9\x35\xb4\x5d"
> +                         "\x4c\x33\x5a\xc2\x42\x4c\xe6\xa4"
> +                         "\x97\x6e\x0e\xd2\xb2\x8b\x2f\x7f"
> +                         "\x28\xe5\x9f\xac\x4b\x2e\x02\xab"
> +                         "\x85\xfa\xa9\x0d\x7c\x2d\x10\xe6"
> +                         "\x91\xab\x55\x63\xf0\xde\x3a\x94"
> +                         "\x25\x08\x10\x03\xc2\x68\xd1\xf4"
> +                         "\xaf\x7d\x9c\x99\xf7\x86\x96\x30"
> +                         "\x60\xfc\x0b\xe6\xa8\x80\x15\xb0"
> +                         "\x81\xb1\x0c\xbe\xb9\x12\x18\x25"
> +                         "\xe9\x0e\xb1\xe7\x23\xb2\xef\x4a"
> +                         "\x22\x8f\xc5\x61\x89\xd4\xe7\x0c"
> +                         "\x64\x36\x35\x61\xb6\x34\x60\xf7"
> +                         "\x7b\x61\x37\x37\x12\x10\xa2\xf6"
> +                         "\x7e\xdb\x7f\x39\x3f\xb6\x8e\x89"
> +                         "\x9e\xf3\xfe\x13\x98\xbb\x66\x5a"
> +                         "\xec\xea\xab\x3f\x9c\x87\xc4\x8c"
> +                         "\x8a\x04\x18\x49\xfc\x77\x11\x50"
> +                         "\x16\xe6\x71\x2b\xee\xc0\x9c\xb6"
> +                         "\x87\xfd\x80\xff\x0b\x1d\x73\x38"
> +                         "\xa4\x1d\x6f\xae\xe4\x12\xd7\x93"
> +                         "\x9d\xcd\x38\x26\x09\x40\x52\xcd"
> +                         "\x67\x01\x67\x26\xe0\x3e\x98\xa8"
> +                         "\xe8\x1a\x13\x41\xbb\x90\x4d\x87"
> +                         "\xbb\x42\x82\x39\xce\x3a\xd0\x18"
> +                         "\x6d\x7b\x71\x8f\xbb\x2c\x6a\xd1"
> +                         "\xbd\xf5\xc7\x8a\x7e\xe1\x1e\x0f"
> +                         "\x0d\x0d\x13\x7c\xd9\xd8\x3c\x91"
> +                         "\xab\xff\x1f\x12\xc3\xee\xe5\x65"
> +                         "\x12\x8d\x7b\x61\xe5\x1f\x98",
> +               .len    = 375,
> +               .also_non_np = 1,
> +               .np     = 3,
> +               .tap    = { 375 - 20, 4, 16 },
> +
> +       }, { /* Taken from the ChaCha20 test vectors, appended 16 random bytes
> +               to nonce, and recomputed the ciphertext with libsodium */
> +               .key    = "\x1c\x92\x40\xa5\xeb\x55\xd3\x8a"
> +                         "\xf3\x33\x88\x86\x04\xf6\xb5\xf0"
> +                         "\x47\x39\x17\xc1\x40\x2b\x80\x09"
> +                         "\x9d\xca\x5c\xbc\x20\x70\x75\xc0",
> +               .klen   = 32,
> +               .iv     = "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x02\x76\x5a\x2e\x63"
> +                         "\x33\x9f\xc9\x9a\x66\x32\x0d\xb7"
> +                         "\x2a\x00\x00\x00\x00\x00\x00\x00",
> +               .ptext  = "\x27\x54\x77\x61\x73\x20\x62\x72"
> +                         "\x69\x6c\x6c\x69\x67\x2c\x20\x61"
> +                         "\x6e\x64\x20\x74\x68\x65\x20\x73"
> +                         "\x6c\x69\x74\x68\x79\x20\x74\x6f"
> +                         "\x76\x65\x73\x0a\x44\x69\x64\x20"
> +                         "\x67\x79\x72\x65\x20\x61\x6e\x64"
> +                         "\x20\x67\x69\x6d\x62\x6c\x65\x20"
> +                         "\x69\x6e\x20\x74\x68\x65\x20\x77"
> +                         "\x61\x62\x65\x3a\x0a\x41\x6c\x6c"
> +                         "\x20\x6d\x69\x6d\x73\x79\x20\x77"
> +                         "\x65\x72\x65\x20\x74\x68\x65\x20"
> +                         "\x62\x6f\x72\x6f\x67\x6f\x76\x65"
> +                         "\x73\x2c\x0a\x41\x6e\x64\x20\x74"
> +                         "\x68\x65\x20\x6d\x6f\x6d\x65\x20"
> +                         "\x72\x61\x74\x68\x73\x20\x6f\x75"
> +                         "\x74\x67\x72\x61\x62\x65\x2e",
> +               .ctext  = "\x95\xb9\x51\xe7\x8f\xb4\xa4\x03"
> +                         "\xca\x37\xcc\xde\x60\x1d\x8c\xe2"
> +                         "\xf1\xbb\x8a\x13\x7f\x61\x85\xcc"
> +                         "\xad\xf4\xf0\xdc\x86\xa6\x1e\x10"
> +                         "\xbc\x8e\xcb\x38\x2b\xa5\xc8\x8f"
> +                         "\xaa\x03\x3d\x53\x4a\x42\xb1\x33"
> +                         "\xfc\xd3\xef\xf0\x8e\x7e\x10\x9c"
> +                         "\x6f\x12\x5e\xd4\x96\xfe\x5b\x08"
> +                         "\xb6\x48\xf0\x14\x74\x51\x18\x7c"
> +                         "\x07\x92\xfc\xac\x9d\xf1\x94\xc0"
> +                         "\xc1\x9d\xc5\x19\x43\x1f\x1d\xbb"
> +                         "\x07\xf0\x1b\x14\x25\x45\xbb\xcb"
> +                         "\x5c\xe2\x8b\x28\xf3\xcf\x47\x29"
> +                         "\x27\x79\x67\x24\xa6\x87\xc2\x11"
> +                         "\x65\x03\xfa\x45\xf7\x9e\x53\x7a"
> +                         "\x99\xf1\x82\x25\x4f\x8d\x07",
> +               .len    = 127,
> +       }, { /* Taken from the ChaCha20 test vectors, appended 16 random bytes
> +               to nonce, and recomputed the ciphertext with libsodium */
> +               .key    = "\x1c\x92\x40\xa5\xeb\x55\xd3\x8a"
> +                         "\xf3\x33\x88\x86\x04\xf6\xb5\xf0"
> +                         "\x47\x39\x17\xc1\x40\x2b\x80\x09"
> +                         "\x9d\xca\x5c\xbc\x20\x70\x75\xc0",
> +               .klen   = 32,
> +               .iv     = "\x00\x00\x00\x00\x00\x00\x00\x00"
> +                         "\x00\x00\x00\x01\x31\x58\xa3\x5a"
> +                         "\x25\x5d\x05\x17\x58\xe9\x5e\xd4"
> +                         "\x1c\x00\x00\x00\x00\x00\x00\x00",
> +               .ptext  = "\x49\xee\xe0\xdc\x24\x90\x40\xcd"
> +                         "\xc5\x40\x8f\x47\x05\xbc\xdd\x81"
> +                         "\x47\xc6\x8d\xe6\xb1\x8f\xd7\xcb"
> +                         "\x09\x0e\x6e\x22\x48\x1f\xbf\xb8"
> +                         "\x5c\xf7\x1e\x8a\xc1\x23\xf2\xd4"
> +                         "\x19\x4b\x01\x0f\x4e\xa4\x43\xce"
> +                         "\x01\xc6\x67\xda\x03\x91\x18\x90"
> +                         "\xa5\xa4\x8e\x45\x03\xb3\x2d\xac"
> +                         "\x74\x92\xd3\x53\x47\xc8\xdd\x25"
> +                         "\x53\x6c\x02\x03\x87\x0d\x11\x0c"
> +                         "\x58\xe3\x12\x18\xfd\x2a\x5b\x40"
> +                         "\x0c\x30\xf0\xb8\x3f\x43\xce\xae"
> +                         "\x65\x3a\x7d\x7c\xf4\x54\xaa\xcc"
> +                         "\x33\x97\xc3\x77\xba\xc5\x70\xde"
> +                         "\xd7\xd5\x13\xa5\x65\xc4\x5f\x0f"
> +                         "\x46\x1a\x0d\x97\xb5\xf3\xbb\x3c"
> +                         "\x84\x0f\x2b\xc5\xaa\xea\xf2\x6c"
> +                         "\xc9\xb5\x0c\xee\x15\xf3\x7d\xbe"
> +                         "\x9f\x7b\x5a\xa6\xae\x4f\x83\xb6"
> +                         "\x79\x49\x41\xf4\x58\x18\xcb\x86"
> +                         "\x7f\x30\x0e\xf8\x7d\x44\x36\xea"
> +                         "\x75\xeb\x88\x84\x40\x3c\xad\x4f"
> +                         "\x6f\x31\x6b\xaa\x5d\xe5\xa5\xc5"
> +                         "\x21\x66\xe9\xa7\xe3\xb2\x15\x88"
> +                         "\x78\xf6\x79\xa1\x59\x47\x12\x4e"
> +                         "\x9f\x9f\x64\x1a\xa0\x22\x5b\x08"
> +                         "\xbe\x7c\x36\xc2\x2b\x66\x33\x1b"
> +                         "\xdd\x60\x71\xf7\x47\x8c\x61\xc3"
> +                         "\xda\x8a\x78\x1e\x16\xfa\x1e\x86"
> +                         "\x81\xa6\x17\x2a\xa7\xb5\xc2\xe7"
> +                         "\xa4\xc7\x42\xf1\xcf\x6a\xca\xb4"
> +                         "\x45\xcf\xf3\x93\xf0\xe7\xea\xf6"
> +                         "\xf4\xe6\x33\x43\x84\x93\xa5\x67"
> +                         "\x9b\x16\x58\x58\x80\x0f\x2b\x5c"
> +                         "\x24\x74\x75\x7f\x95\x81\xb7\x30"
> +                         "\x7a\x33\xa7\xf7\x94\x87\x32\x27"
> +                         "\x10\x5d\x14\x4c\x43\x29\xdd\x26"
> +                         "\xbd\x3e\x3c\x0e\xfe\x0e\xa5\x10"
> +                         "\xea\x6b\x64\xfd\x73\xc6\xed\xec"
> +                         "\xa8\xc9\xbf\xb3\xba\x0b\x4d\x07"
> +                         "\x70\xfc\x16\xfd\x79\x1e\xd7\xc5"
> +                         "\x49\x4e\x1c\x8b\x8d\x79\x1b\xb1"
> +                         "\xec\xca\x60\x09\x4c\x6a\xd5\x09"
> +                         "\x49\x46\x00\x88\x22\x8d\xce\xea"
> +                         "\xb1\x17\x11\xde\x42\xd2\x23\xc1"
> +                         "\x72\x11\xf5\x50\x73\x04\x40\x47"
> +                         "\xf9\x5d\xe7\xa7\x26\xb1\x7e\xb0"
> +                         "\x3f\x58\xc1\x52\xab\x12\x67\x9d"
> +                         "\x3f\x43\x4b\x68\xd4\x9c\x68\x38"
> +                         "\x07\x8a\x2d\x3e\xf3\xaf\x6a\x4b"
> +                         "\xf9\xe5\x31\x69\x22\xf9\xa6\x69"
> +                         "\xc6\x9c\x96\x9a\x12\x35\x95\x1d"
> +                         "\x95\xd5\xdd\xbe\xbf\x93\x53\x24"
> +                         "\xfd\xeb\xc2\x0a\x64\xb0\x77\x00"
> +                         "\x6f\x88\xc4\x37\x18\x69\x7c\xd7"
> +                         "\x41\x92\x55\x4c\x03\xa1\x9a\x4b"
> +                         "\x15\xe5\xdf\x7f\x37\x33\x72\xc1"
> +                         "\x8b\x10\x67\xa3\x01\x57\x94\x25"
> +                         "\x7b\x38\x71\x7e\xdd\x1e\xcc\x73"
> +                         "\x55\xd2\x8e\xeb\x07\xdd\xf1\xda"
> +                         "\x58\xb1\x47\x90\xfe\x42\x21\x72"
> +                         "\xa3\x54\x7a\xa0\x40\xec\x9f\xdd"
> +                         "\xc6\x84\x6e\xca\xae\xe3\x68\xb4"
> +                         "\x9d\xe4\x78\xff\x57\xf2\xf8\x1b"
> +                         "\x03\xa1\x31\xd9\xde\x8d\xf5\x22"
> +                         "\x9c\xdd\x20\xa4\x1e\x27\xb1\x76"
> +                         "\x4f\x44\x55\xe2\x9b\xa1\x9c\xfe"
> +                         "\x54\xf7\x27\x1b\xf4\xde\x02\xf5"
> +                         "\x1b\x55\x48\x5c\xdc\x21\x4b\x9e"
> +                         "\x4b\x6e\xed\x46\x23\xdc\x65\xb2"
> +                         "\xcf\x79\x5f\x28\xe0\x9e\x8b\xe7"
> +                         "\x4c\x9d\x8a\xff\xc1\xa6\x28\xb8"
> +                         "\x65\x69\x8a\x45\x29\xef\x74\x85"
> +                         "\xde\x79\xc7\x08\xae\x30\xb0\xf4"
> +                         "\xa3\x1d\x51\x41\xab\xce\xcb\xf6"
> +                         "\xb5\xd8\x6d\xe0\x85\xe1\x98\xb3"
> +                         "\x43\xbb\x86\x83\x0a\xa0\xf5\xb7"
> +                         "\x04\x0b\xfa\x71\x1f\xb0\xf6\xd9"
> +                         "\x13\x00\x15\xf0\xc7\xeb\x0d\x5a"
> +                         "\x9f\xd7\xb9\x6c\x65\x14\x22\x45"
> +                         "\x6e\x45\x32\x3e\x7e\x60\x1a\x12"
> +                         "\x97\x82\x14\xfb\xaa\x04\x22\xfa"
> +                         "\xa0\xe5\x7e\x8c\x78\x02\x48\x5d"
> +                         "\x78\x33\x5a\x7c\xad\xdb\x29\xce"
> +                         "\xbb\x8b\x61\xa4\xb7\x42\xe2\xac"
> +                         "\x8b\x1a\xd9\x2f\x0b\x8b\x62\x21"
> +                         "\x83\x35\x7e\xad\x73\xc2\xb5\x6c"
> +                         "\x10\x26\x38\x07\xe5\xc7\x36\x80"
> +                         "\xe2\x23\x12\x61\xf5\x48\x4b\x2b"
> +                         "\xc5\xdf\x15\xd9\x87\x01\xaa\xac"
> +                         "\x1e\x7c\xad\x73\x78\x18\x63\xe0"
> +                         "\x8b\x9f\x81\xd8\x12\x6a\x28\x10"
> +                         "\xbe\x04\x68\x8a\x09\x7c\x1b\x1c"
> +                         "\x83\x66\x80\x47\x80\xe8\xfd\x35"
> +                         "\x1c\x97\x6f\xae\x49\x10\x66\xcc"
> +                         "\xc6\xd8\xcc\x3a\x84\x91\x20\x77"
> +                         "\x72\xe4\x24\xd2\x37\x9f\xc5\xc9"
> +                         "\x25\x94\x10\x5f\x40\x00\x64\x99"
> +                         "\xdc\xae\xd7\x21\x09\x78\x50\x15"
> +                         "\xac\x5f\xc6\x2c\xa2\x0b\xa9\x39"
> +                         "\x87\x6e\x6d\xab\xde\x08\x51\x16"
> +                         "\xc7\x13\xe9\xea\xed\x06\x8e\x2c"
> +                         "\xf8\x37\x8c\xf0\xa6\x96\x8d\x43"
> +                         "\xb6\x98\x37\xb2\x43\xed\xde\xdf"
> +                         "\x89\x1a\xe7\xeb\x9d\xa1\x7b\x0b"
> +                         "\x77\xb0\xe2\x75\xc0\xf1\x98\xd9"
> +                         "\x80\x55\xc9\x34\x91\xd1\x59\xe8"
> +                         "\x4b\x0f\xc1\xa9\x4b\x7a\x84\x06"
> +                         "\x20\xa8\x5d\xfa\xd1\xde\x70\x56"
> +                         "\x2f\x9e\x91\x9c\x20\xb3\x24\xd8"
> +                         "\x84\x3d\xe1\x8c\x7e\x62\x52\xe5"
> +                         "\x44\x4b\x9f\xc2\x93\x03\xea\x2b"
> +                         "\x59\xc5\xfa\x3f\x91\x2b\xbb\x23"
> +                         "\xf5\xb2\x7b\xf5\x38\xaf\xb3\xee"
> +                         "\x63\xdc\x7b\xd1\xff\xaa\x8b\xab"
> +                         "\x82\x6b\x37\x04\xeb\x74\xbe\x79"
> +                         "\xb9\x83\x90\xef\x20\x59\x46\xff"
> +                         "\xe9\x97\x3e\x2f\xee\xb6\x64\x18"
> +                         "\x38\x4c\x7a\x4a\xf9\x61\xe8\x9a"
> +                         "\xa1\xb5\x01\xa6\x47\xd3\x11\xd4"
> +                         "\xce\xd3\x91\x49\x88\xc7\xb8\x4d"
> +                         "\xb1\xb9\x07\x6d\x16\x72\xae\x46"
> +                         "\x5e\x03\xa1\x4b\xb6\x02\x30\xa8"
> +                         "\x3d\xa9\x07\x2a\x7c\x19\xe7\x62"
> +                         "\x87\xe3\x82\x2f\x6f\xe1\x09\xd9"
> +                         "\x94\x97\xea\xdd\x58\x9e\xae\x76"
> +                         "\x7e\x35\xe5\xb4\xda\x7e\xf4\xde"
> +                         "\xf7\x32\x87\xcd\x93\xbf\x11\x56"
> +                         "\x11\xbe\x08\x74\xe1\x69\xad\xe2"
> +                         "\xd7\xf8\x86\x75\x8a\x3c\xa4\xbe"
> +                         "\x70\xa7\x1b\xfc\x0b\x44\x2a\x76"
> +                         "\x35\xea\x5d\x85\x81\xaf\x85\xeb"
> +                         "\xa0\x1c\x61\xc2\xf7\x4f\xa5\xdc"
> +                         "\x02\x7f\xf6\x95\x40\x6e\x8a\x9a"
> +                         "\xf3\x5d\x25\x6e\x14\x3a\x22\xc9"
> +                         "\x37\x1c\xeb\x46\x54\x3f\xa5\x91"
> +                         "\xc2\xb5\x8c\xfe\x53\x08\x97\x32"
> +                         "\x1b\xb2\x30\x27\xfe\x25\x5d\xdc"
> +                         "\x08\x87\xd0\xe5\x94\x1a\xd4\xf1"
> +                         "\xfe\xd6\xb4\xa3\xe6\x74\x81\x3c"
> +                         "\x1b\xb7\x31\xa7\x22\xfd\xd4\xdd"
> +                         "\x20\x4e\x7c\x51\xb0\x60\x73\xb8"
> +                         "\x9c\xac\x91\x90\x7e\x01\xb0\xe1"
> +                         "\x8a\x2f\x75\x1c\x53\x2a\x98\x2a"
> +                         "\x06\x52\x95\x52\xb2\xe9\x25\x2e"
> +                         "\x4c\xe2\x5a\x00\xb2\x13\x81\x03"
> +                         "\x77\x66\x0d\xa5\x99\xda\x4e\x8c"
> +                         "\xac\xf3\x13\x53\x27\x45\xaf\x64"
> +                         "\x46\xdc\xea\x23\xda\x97\xd1\xab"
> +                         "\x7d\x6c\x30\x96\x1f\xbc\x06\x34"
> +                         "\x18\x0b\x5e\x21\x35\x11\x8d\x4c"
> +                         "\xe0\x2d\xe9\x50\x16\x74\x81\xa8"
> +                         "\xb4\x34\xb9\x72\x42\xa6\xcc\xbc"
> +                         "\xca\x34\x83\x27\x10\x5b\x68\x45"
> +                         "\x8f\x52\x22\x0c\x55\x3d\x29\x7c"
> +                         "\xe3\xc0\x66\x05\x42\x91\x5f\x58"
> +                         "\xfe\x4a\x62\xd9\x8c\xa9\x04\x19"
> +                         "\x04\xa9\x08\x4b\x57\xfc\x67\x53"
> +                         "\x08\x7c\xbc\x66\x8a\xb0\xb6\x9f"
> +                         "\x92\xd6\x41\x7c\x5b\x2a\x00\x79"
> +                         "\x72",
> +               .ctext  = "\x3a\x92\xee\x53\x31\xaf\x2b\x60"
> +                         "\x5f\x55\x8d\x00\x5d\xfc\x74\x97"
> +                         "\x28\x54\xf4\xa5\x75\xf1\x9b\x25"
> +                         "\x62\x1c\xc0\xe0\x13\xc8\x87\x53"
> +                         "\xd0\xf3\xa7\x97\x1f\x3b\x1e\xea"
> +                         "\xe0\xe5\x2a\xd1\xdd\xa4\x3b\x50"
> +                         "\x45\xa3\x0d\x7e\x1b\xc9\xa0\xad"
> +                         "\xb9\x2c\x54\xa6\xc7\x55\x16\xd0"
> +                         "\xc5\x2e\x02\x44\x35\xd0\x7e\x67"
> +                         "\xf2\xc4\x9b\xcd\x95\x10\xcc\x29"
> +                         "\x4b\xfa\x86\x87\xbe\x40\x36\xbe"
> +                         "\xe1\xa3\x52\x89\x55\x20\x9b\xc2"
> +                         "\xab\xf2\x31\x34\x16\xad\xc8\x17"
> +                         "\x65\x24\xc0\xff\x12\x37\xfe\x5a"
> +                         "\x62\x3b\x59\x47\x6c\x5f\x3a\x8e"
> +                         "\x3b\xd9\x30\xc8\x7f\x2f\x88\xda"
> +                         "\x80\xfd\x02\xda\x7f\x9a\x7a\x73"
> +                         "\x59\xc5\x34\x09\x9a\x11\xcb\xa7"
> +                         "\xfc\xf6\xa1\xa0\x60\xfb\x43\xbb"
> +                         "\xf1\xe9\xd7\xc6\x79\x27\x4e\xff"
> +                         "\x22\xb4\x24\xbf\x76\xee\x47\xb9"
> +                         "\x6d\x3f\x8b\xb0\x9c\x3c\x43\xdd"
> +                         "\xff\x25\x2e\x6d\xa4\x2b\xfb\x5d"
> +                         "\x1b\x97\x6c\x55\x0a\x82\x7a\x7b"
> +                         "\x94\x34\xc2\xdb\x2f\x1f\xc1\xea"
> +                         "\xd4\x4d\x17\x46\x3b\x51\x69\x09"
> +                         "\xe4\x99\x32\x25\xfd\x94\xaf\xfb"
> +                         "\x10\xf7\x4f\xdd\x0b\x3c\x8b\x41"
> +                         "\xb3\x6a\xb7\xd1\x33\xa8\x0c\x2f"
> +                         "\x62\x4c\x72\x11\xd7\x74\xe1\x3b"
> +                         "\x38\x43\x66\x7b\x6c\x36\x48\xe7"
> +                         "\xe3\xe7\x9d\xb9\x42\x73\x7a\x2a"
> +                         "\x89\x20\x1a\x41\x80\x03\xf7\x8f"
> +                         "\x61\x78\x13\xbf\xfe\x50\xf5\x04"
> +                         "\x52\xf9\xac\x47\xf8\x62\x4b\xb2"
> +                         "\x24\xa9\xbf\x64\xb0\x18\x69\xd2"
> +                         "\xf5\xe4\xce\xc8\xb1\x87\x75\xd6"
> +                         "\x2c\x24\x79\x00\x7d\x26\xfb\x44"
> +                         "\xe7\x45\x7a\xee\x58\xa5\x83\xc1"
> +                         "\xb4\x24\xab\x23\x2f\x4d\xd7\x4f"
> +                         "\x1c\xc7\xaa\xa9\x50\xf4\xa3\x07"
> +                         "\x12\x13\x89\x74\xdc\x31\x6a\xb2"
> +                         "\xf5\x0f\x13\x8b\xb9\xdb\x85\x1f"
> +                         "\xf5\xbc\x88\xd9\x95\xea\x31\x6c"
> +                         "\x36\x60\xb6\x49\xdc\xc4\xf7\x55"
> +                         "\x3f\x21\xc1\xb5\x92\x18\x5e\xbc"
> +                         "\x9f\x87\x7f\xe7\x79\x25\x40\x33"
> +                         "\xd6\xb9\x33\xd5\x50\xb3\xc7\x89"
> +                         "\x1b\x12\xa0\x46\xdd\xa7\xd8\x3e"
> +                         "\x71\xeb\x6f\x66\xa1\x26\x0c\x67"
> +                         "\xab\xb2\x38\x58\x17\xd8\x44\x3b"
> +                         "\x16\xf0\x8e\x62\x8d\x16\x10\x00"
> +                         "\x32\x8b\xef\xb9\x28\xd3\xc5\xad"
> +                         "\x0a\x19\xa2\xe4\x03\x27\x7d\x94"
> +                         "\x06\x18\xcd\xd6\x27\x00\xf9\x1f"
> +                         "\xb6\xb3\xfe\x96\x35\x5f\xc4\x1c"
> +                         "\x07\x62\x10\x79\x68\x50\xf1\x7e"
> +                         "\x29\xe7\xc4\xc4\xe7\xee\x54\xd6"
> +                         "\x58\x76\x84\x6d\x8d\xe4\x59\x31"
> +                         "\xe9\xf4\xdc\xa1\x1f\xe5\x1a\xd6"
> +                         "\xe6\x64\x46\xf5\x77\x9c\x60\x7a"
> +                         "\x5e\x62\xe3\x0a\xd4\x9f\x7a\x2d"
> +                         "\x7a\xa5\x0a\x7b\x29\x86\x7a\x74"
> +                         "\x74\x71\x6b\xca\x7d\x1d\xaa\xba"
> +                         "\x39\x84\x43\x76\x35\xfe\x4f\x9b"
> +                         "\xbb\xbb\xb5\x6a\x32\xb5\x5d\x41"
> +                         "\x51\xf0\x5b\x68\x03\x47\x4b\x8a"
> +                         "\xca\x88\xf6\x37\xbd\x73\x51\x70"
> +                         "\x66\xfe\x9e\x5f\x21\x9c\xf3\xdd"
> +                         "\xc3\xea\x27\xf9\x64\x94\xe1\x19"
> +                         "\xa0\xa9\xab\x60\xe0\x0e\xf7\x78"
> +                         "\x70\x86\xeb\xe0\xd1\x5c\x05\xd3"
> +                         "\xd7\xca\xe0\xc0\x47\x47\x34\xee"
> +                         "\x11\xa3\xa3\x54\x98\xb7\x49\x8e"
> +                         "\x84\x28\x70\x2c\x9e\xfb\x55\x54"
> +                         "\x4d\xf8\x86\xf7\x85\x7c\xbd\xf3"
> +                         "\x17\xd8\x47\xcb\xac\xf4\x20\x85"
> +                         "\x34\x66\xad\x37\x2d\x5e\x52\xda"
> +                         "\x8a\xfe\x98\x55\x30\xe7\x2d\x2b"
> +                         "\x19\x10\x8e\x7b\x66\x5e\xdc\xe0"
> +                         "\x45\x1f\x7b\xb4\x08\xfb\x8f\xf6"
> +                         "\x8c\x89\x21\x34\x55\x27\xb2\x76"
> +                         "\xb2\x07\xd9\xd6\x68\x9b\xea\x6b"
> +                         "\x2d\xb4\xc4\x35\xdd\xd2\x79\xae"
> +                         "\xc7\xd6\x26\x7f\x12\x01\x8c\xa7"
> +                         "\xe3\xdb\xa8\xf4\xf7\x2b\xec\x99"
> +                         "\x11\x00\xf1\x35\x8c\xcf\xd5\xc9"
> +                         "\xbd\x91\x36\x39\x70\xcf\x7d\x70"
> +                         "\x47\x1a\xfc\x6b\x56\xe0\x3f\x9c"
> +                         "\x60\x49\x01\x72\xa9\xaf\x2c\x9c"
> +                         "\xe8\xab\xda\x8c\x14\x19\xf3\x75"
> +                         "\x07\x17\x9d\x44\x67\x7a\x2e\xef"
> +                         "\xb7\x83\x35\x4a\xd1\x3d\x1c\x84"
> +                         "\x32\xdd\xaa\xea\xca\x1d\xdc\x72"
> +                         "\x2c\xcc\x43\xcd\x5d\xe3\x21\xa4"
> +                         "\xd0\x8a\x4b\x20\x12\xa3\xd5\x86"
> +                         "\x76\x96\xff\x5f\x04\x57\x0f\xe6"
> +                         "\xba\xe8\x76\x50\x0c\x64\x1d\x83"
> +                         "\x9c\x9b\x9a\x9a\x58\x97\x9c\x5c"
> +                         "\xb4\xa4\xa6\x3e\x19\xeb\x8f\x5a"
> +                         "\x61\xb2\x03\x7b\x35\x19\xbe\xa7"
> +                         "\x63\x0c\xfd\xdd\xf9\x90\x6c\x08"
> +                         "\x19\x11\xd3\x65\x4a\xf5\x96\x92"
> +                         "\x59\xaa\x9c\x61\x0c\x29\xa7\xf8"
> +                         "\x14\x39\x37\xbf\x3c\xf2\x16\x72"
> +                         "\x02\xfa\xa2\xf3\x18\x67\x5d\xcb"
> +                         "\xdc\x4d\xbb\x96\xff\x70\x08\x2d"
> +                         "\xc2\xa8\x52\xe1\x34\x5f\x72\xfe"
> +                         "\x64\xbf\xca\xa7\x74\x38\xfb\x74"
> +                         "\x55\x9c\xfa\x8a\xed\xfb\x98\xeb"
> +                         "\x58\x2e\x6c\xe1\x52\x76\x86\xd7"
> +                         "\xcf\xa1\xa4\xfc\xb2\x47\x41\x28"
> +                         "\xa3\xc1\xe5\xfd\x53\x19\x28\x2b"
> +                         "\x37\x04\x65\x96\x99\x7a\x28\x0f"
> +                         "\x07\x68\x4b\xc7\x52\x0a\x55\x35"
> +                         "\x40\x19\x95\x61\xe8\x59\x40\x1f"
> +                         "\x9d\xbf\x78\x7d\x8f\x84\xff\x6f"
> +                         "\xd0\xd5\x63\xd2\x22\xbd\xc8\x4e"
> +                         "\xfb\xe7\x9f\x06\xe6\xe7\x39\x6d"
> +                         "\x6a\x96\x9f\xf0\x74\x7e\xc9\x35"
> +                         "\xb7\x26\xb8\x1c\x0a\xa6\x27\x2c"
> +                         "\xa2\x2b\xfe\xbe\x0f\x07\x73\xae"
> +                         "\x7f\x7f\x54\xf5\x7c\x6a\x0a\x56"
> +                         "\x49\xd4\x81\xe5\x85\x53\x99\x1f"
> +                         "\x95\x05\x13\x58\x8d\x0e\x1b\x90"
> +                         "\xc3\x75\x48\x64\x58\x98\x67\x84"
> +                         "\xae\xe2\x21\xa2\x8a\x04\x0a\x0b"
> +                         "\x61\xaa\xb0\xd4\x28\x60\x7a\xf8"
> +                         "\xbc\x52\xfb\x24\x7f\xed\x0d\x2a"
> +                         "\x0a\xb2\xf9\xc6\x95\xb5\x11\xc9"
> +                         "\xf4\x0f\x26\x11\xcf\x2a\x57\x87"
> +                         "\x7a\xf3\xe7\x94\x65\xc2\xb5\xb3"
> +                         "\xab\x98\xe3\xc1\x2b\x59\x19\x7c"
> +                         "\xd6\xf3\xf9\xbf\xff\x6d\xc6\x82"
> +                         "\x13\x2f\x4a\x2e\xcd\x26\xfe\x2d"
> +                         "\x01\x70\xf4\xc2\x7f\x1f\x4c\xcb"
> +                         "\x47\x77\x0c\xa0\xa3\x03\xec\xda"
> +                         "\xa9\xbf\x0d\x2d\xae\xe4\xb8\x7b"
> +                         "\xa9\xbc\x08\xb4\x68\x2e\xc5\x60"
> +                         "\x8d\x87\x41\x2b\x0f\x69\xf0\xaf"
> +                         "\x5f\xba\x72\x20\x0f\x33\xcd\x6d"
> +                         "\x36\x7d\x7b\xd5\x05\xf1\x4b\x05"
> +                         "\xc4\xfc\x7f\x80\xb9\x4d\xbd\xf7"
> +                         "\x7c\x84\x07\x01\xc2\x40\x66\x5b"
> +                         "\x98\xc7\x2c\xe3\x97\xfa\xdf\x87"
> +                         "\xa0\x1f\xe9\x21\x42\x0f\x3b\xeb"
> +                         "\x89\x1c\x3b\xca\x83\x61\x77\x68"
> +                         "\x84\xbb\x60\x87\x38\x2e\x25\xd5"
> +                         "\x9e\x04\x41\x70\xac\xda\xc0\x9c"
> +                         "\x9c\x69\xea\x8d\x4e\x55\x2a\x29"
> +                         "\xed\x05\x4b\x7b\x73\x71\x90\x59"
> +                         "\x4d\xc8\xd8\x44\xf0\x4c\xe1\x5e"
> +                         "\x84\x47\x55\xcc\x32\x3f\xe7\x97"
> +                         "\x42\xc6\x32\xac\x40\xe5\xa5\xc7"
> +                         "\x8b\xed\xdb\xf7\x83\xd6\xb1\xc2"
> +                         "\x52\x5e\x34\xb7\xeb\x6e\xd9\xfc"
> +                         "\xe5\x93\x9a\x97\x3e\xb0\xdc\xd9"
> +                         "\xd7\x06\x10\xb6\x1d\x80\x59\xdd"
> +                         "\x0d\xfe\x64\x35\xcd\x5d\xec\xf0"
> +                         "\xba\xd0\x34\xc9\x2d\x91\xc5\x17"
> +                         "\x11",
> +               .len    = 1281,
> +               .also_non_np = 1,
> +               .np     = 3,
> +               .tap    = { 1200, 1, 80 },
> +       },
> +};
> +
>  /*
>   * CTS (Cipher Text Stealing) mode tests
>   */
> diff --git a/include/crypto/chacha20.h b/include/crypto/chacha20.h
> index fbec4e6a87890..6290d997060ec 100644
> --- a/include/crypto/chacha20.h
> +++ b/include/crypto/chacha20.h
> @@ -1,6 +1,10 @@
>  /* SPDX-License-Identifier: GPL-2.0 */
>  /*
> - * Common values for the ChaCha20 algorithm
> + * Common values and helper functions for the ChaCha20 and XChaCha20 algorithms.
> + *
> + * XChaCha20 extends ChaCha20's nonce to 192 bits, while provably retaining
> + * ChaCha20's security.  Here they share the same key size, tfm context, and
> + * setkey function; only their IV size and encrypt/decrypt function differ.
>   */
>
>  #ifndef _CRYPTO_CHACHA20_H
> @@ -10,10 +14,15 @@
>  #include <linux/types.h>
>  #include <linux/crypto.h>
>
> +/* 32-bit stream position, then 96-bit nonce (RFC7539 convention) */
>  #define CHACHA20_IV_SIZE       16
> +
>  #define CHACHA20_KEY_SIZE      32
>  #define CHACHA20_BLOCK_SIZE    64
>
> +/* 192-bit nonce, then 64-bit stream position */
> +#define XCHACHA20_IV_SIZE      32
> +
>  struct chacha20_ctx {
>         u32 key[8];
>  };
> @@ -22,8 +31,11 @@ void chacha20_block(u32 *state, u8 *stream);
>  void hchacha20_block(const u32 *in, u32 *out);
>
>  void crypto_chacha20_init(u32 *state, struct chacha20_ctx *ctx, u8 *iv);
> +
>  int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
>                            unsigned int keysize);
> +
>  int crypto_chacha20_crypt(struct skcipher_request *req);
> +int crypto_xchacha20_crypt(struct skcipher_request *req);
>
>  #endif
> --
> 2.19.1.331.ge82ca0e54c-goog
>

  reply	other threads:[~2018-10-19 14:24 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-15 17:54 [RFC PATCH v2 00/12] crypto: Adiantum support Eric Biggers
2018-10-15 17:54 ` [RFC PATCH v2 01/12] crypto: chacha20-generic - add HChaCha20 library function Eric Biggers
2018-10-19 14:13   ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 02/12] crypto: chacha20-generic - add XChaCha20 support Eric Biggers
2018-10-19 14:24   ` Ard Biesheuvel [this message]
2018-10-15 17:54 ` [RFC PATCH v2 03/12] crypto: chacha20-generic - refactor to allow varying number of rounds Eric Biggers
2018-10-19 14:25   ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 04/12] crypto: chacha - add XChaCha12 support Eric Biggers
2018-10-19 14:34   ` Ard Biesheuvel
2018-10-19 18:28     ` Eric Biggers
2018-10-15 17:54 ` [RFC PATCH v2 05/12] crypto: arm/chacha20 - add XChaCha20 support Eric Biggers
2018-10-20  2:29   ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 06/12] crypto: arm/chacha20 - refactor to allow varying number of rounds Eric Biggers
2018-10-20  3:35   ` Ard Biesheuvel
2018-10-20  5:26     ` Eric Biggers
2018-10-15 17:54 ` [RFC PATCH v2 07/12] crypto: arm/chacha - add XChaCha12 support Eric Biggers
2018-10-20  3:36   ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 08/12] crypto: poly1305 - add Poly1305 core API Eric Biggers
2018-10-20  3:45   ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 09/12] crypto: nhpoly1305 - add NHPoly1305 support Eric Biggers
2018-10-20  4:00   ` Ard Biesheuvel
2018-10-20  5:38     ` Eric Biggers
2018-10-20 15:06       ` Ard Biesheuvel
2018-10-22 18:42         ` Eric Biggers
2018-10-22 22:25           ` Ard Biesheuvel
2018-10-22 22:40             ` Eric Biggers
2018-10-22 22:43               ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 10/12] crypto: arm/nhpoly1305 - add NEON-accelerated NHPoly1305 Eric Biggers
2018-10-20  4:12   ` Ard Biesheuvel
2018-10-20  5:51     ` Eric Biggers
2018-10-20 15:00       ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 11/12] crypto: adiantum - add Adiantum support Eric Biggers
2018-10-20  4:17   ` Ard Biesheuvel
2018-10-20  7:12     ` Eric Biggers
2018-10-23 10:40       ` Ard Biesheuvel
2018-10-24 22:06         ` Eric Biggers
2018-10-30  8:17           ` Herbert Xu
2018-10-15 17:54 ` [RFC PATCH v2 12/12] fscrypt: " Eric Biggers
2018-10-19 15:58 ` [RFC PATCH v2 00/12] crypto: " Jason A. Donenfeld
2018-10-19 18:19   ` Paul Crowley
2018-10-20  3:24     ` Ard Biesheuvel
2018-10-20  5:22       ` Eric Biggers
     [not found]     ` <2395454e-a0dc-408f-4138-9d15ab5f20b8@esat.kuleuven.be>
2018-10-22 11:20       ` Tomer Ashur
2018-10-19 19:04   ` Eric Biggers
2018-10-20 10:26     ` Milan Broz
2018-10-20 13:47       ` Jason A. Donenfeld
2018-11-16 21:52       ` Eric Biggers
2018-11-17 10:29         ` Milan Broz
2018-11-19 19:28           ` Eric Biggers
2018-11-19 20:05             ` Milan Broz
2018-11-19 20:30               ` Jason A. Donenfeld
2018-10-21 22:23     ` Eric Biggers
2018-10-21 22:51       ` Jason A. Donenfeld
2018-10-22 17:17         ` Paul Crowley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAKv+Gu8WnYpSiQuPPSzhxPe5xqwq779o9HWeDaoKxTJR5UFUCA@mail.gmail.com \
    --to=ard.biesheuvel@linaro.org \
    --cc=Jason@zx2c4.com \
    --cc=ebiggers@kernel.org \
    --cc=gkaiser@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhalcrow@google.com \
    --cc=paulcrowley@google.com \
    --cc=samuel.c.p.neves@gmail.com \
    --cc=tomer.ashur@esat.kuleuven.be \
    --subject='Re: [RFC PATCH v2 02/12] crypto: chacha20-generic - add XChaCha20 support' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).