crypto: adiantum - Convert to use NH library

+1 -1

crypto/Kconfig

··· 601 601 config CRYPTO_ADIANTUM 602 602 tristate "Adiantum" 603 603 select CRYPTO_CHACHA20 604 + select CRYPTO_LIB_NH 604 605 select CRYPTO_LIB_POLY1305 605 606 select CRYPTO_LIB_POLY1305_GENERIC 606 - select CRYPTO_NHPOLY1305 607 607 select CRYPTO_MANAGER 608 608 help 609 609 Adiantum tweakable, length-preserving encryption mode

+188 -107

crypto/adiantum.c

··· 20 20 * 21 21 * - Stream cipher: XChaCha12 or XChaCha20 22 22 * - Block cipher: any with a 128-bit block size and 256-bit key 23 - * 24 - * This implementation doesn't currently allow other ε-∆U hash functions, i.e. 25 - * HPolyC is not supported. This is because Adiantum is ~20% faster than HPolyC 26 - * but still provably as secure, and also the ε-∆U hash function of HBSH is 27 - * formally defined to take two inputs (tweak, message) which makes it difficult 28 - * to wrap with the crypto_shash API. Rather, some details need to be handled 29 - * here. Nevertheless, if needed in the future, support for other ε-∆U hash 30 - * functions could be added here. 31 23 */ 32 24 33 25 #include <crypto/b128ops.h> 34 26 #include <crypto/chacha.h> 35 27 #include <crypto/internal/cipher.h> 36 - #include <crypto/internal/hash.h> 37 28 #include <crypto/internal/poly1305.h> 38 29 #include <crypto/internal/skcipher.h> 39 - #include <crypto/nhpoly1305.h> 30 + #include <crypto/nh.h> 40 31 #include <crypto/scatterwalk.h> 41 32 #include <linux/module.h> 42 33 ··· 41 50 #define BLOCKCIPHER_KEY_SIZE 32 42 51 43 52 /* Size of the hash key (K_H) in bytes */ 44 - #define HASH_KEY_SIZE (POLY1305_BLOCK_SIZE + NHPOLY1305_KEY_SIZE) 53 + #define HASH_KEY_SIZE (2 * POLY1305_BLOCK_SIZE + NH_KEY_BYTES) 45 54 46 55 /* 47 56 * The specification allows variable-length tweaks, but Linux's crypto API ··· 55 64 struct adiantum_instance_ctx { 56 65 struct crypto_skcipher_spawn streamcipher_spawn; 57 66 struct crypto_cipher_spawn blockcipher_spawn; 58 - struct crypto_shash_spawn hash_spawn; 59 67 }; 60 68 61 69 struct adiantum_tfm_ctx { 62 70 struct crypto_skcipher *streamcipher; 63 71 struct crypto_cipher *blockcipher; 64 - struct crypto_shash *hash; 65 72 struct poly1305_core_key header_hash_key; 73 + struct poly1305_core_key msg_poly_key; 74 + u32 nh_key[NH_KEY_WORDS]; 75 + }; 76 + 77 + struct nhpoly1305_ctx { 78 + /* Running total of polynomial evaluation */ 79 + struct poly1305_state poly_state; 80 + 81 + /* Partial block buffer */ 82 + u8 buffer[NH_MESSAGE_UNIT]; 83 + unsigned int buflen; 84 + 85 + /* 86 + * Number of bytes remaining until the current NH message reaches 87 + * NH_MESSAGE_BYTES. When nonzero, 'nh_hash' holds the partial NH hash. 88 + */ 89 + unsigned int nh_remaining; 90 + 91 + __le64 nh_hash[NH_NUM_PASSES]; 66 92 }; 67 93 68 94 struct adiantum_request_ctx { ··· 106 98 */ 107 99 le128 header_hash; 108 100 109 - /* Sub-requests, must be last */ 101 + /* 102 + * skcipher sub-request size is unknown at compile-time, so it needs to 103 + * go after the members with known sizes. 104 + */ 110 105 union { 111 - struct shash_desc hash_desc; 106 + struct nhpoly1305_ctx hash_ctx; 112 107 struct skcipher_request streamcipher_req; 113 108 } u; 114 109 }; ··· 181 170 /* Set the hash key (K_H) */ 182 171 poly1305_core_setkey(&tctx->header_hash_key, keyp); 183 172 keyp += POLY1305_BLOCK_SIZE; 184 - 185 - crypto_shash_clear_flags(tctx->hash, CRYPTO_TFM_REQ_MASK); 186 - crypto_shash_set_flags(tctx->hash, crypto_skcipher_get_flags(tfm) & 187 - CRYPTO_TFM_REQ_MASK); 188 - err = crypto_shash_setkey(tctx->hash, keyp, NHPOLY1305_KEY_SIZE); 189 - keyp += NHPOLY1305_KEY_SIZE; 173 + poly1305_core_setkey(&tctx->msg_poly_key, keyp); 174 + keyp += POLY1305_BLOCK_SIZE; 175 + for (int i = 0; i < NH_KEY_WORDS; i++) 176 + tctx->nh_key[i] = get_unaligned_le32(&keyp[i * 4]); 177 + keyp += NH_KEY_BYTES; 190 178 WARN_ON(keyp != &data->derived_keys[ARRAY_SIZE(data->derived_keys)]); 191 179 out: 192 180 kfree_sensitive(data); ··· 253 243 poly1305_core_emit(&state, NULL, &rctx->header_hash); 254 244 } 255 245 256 - /* Hash the left-hand part (the "bulk") of the message using NHPoly1305 */ 257 - static int adiantum_hash_message(struct skcipher_request *req, 258 - struct scatterlist *sgl, unsigned int nents, 259 - le128 *digest) 246 + /* Pass the next NH hash value through Poly1305 */ 247 + static void process_nh_hash_value(struct nhpoly1305_ctx *ctx, 248 + const struct adiantum_tfm_ctx *key) 260 249 { 250 + static_assert(NH_HASH_BYTES % POLY1305_BLOCK_SIZE == 0); 251 + 252 + poly1305_core_blocks(&ctx->poly_state, &key->msg_poly_key, ctx->nh_hash, 253 + NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1); 254 + } 255 + 256 + /* 257 + * Feed the next portion of the message data, as a whole number of 16-byte 258 + * "NH message units", through NH and Poly1305. Each NH hash is taken over 259 + * 1024 bytes, except possibly the final one which is taken over a multiple of 260 + * 16 bytes up to 1024. Also, in the case where data is passed in misaligned 261 + * chunks, we combine partial hashes; the end result is the same either way. 262 + */ 263 + static void nhpoly1305_units(struct nhpoly1305_ctx *ctx, 264 + const struct adiantum_tfm_ctx *key, 265 + const u8 *data, size_t len) 266 + { 267 + do { 268 + unsigned int bytes; 269 + 270 + if (ctx->nh_remaining == 0) { 271 + /* Starting a new NH message */ 272 + bytes = min(len, NH_MESSAGE_BYTES); 273 + nh(key->nh_key, data, bytes, ctx->nh_hash); 274 + ctx->nh_remaining = NH_MESSAGE_BYTES - bytes; 275 + } else { 276 + /* Continuing a previous NH message */ 277 + __le64 tmp_hash[NH_NUM_PASSES]; 278 + unsigned int pos; 279 + 280 + pos = NH_MESSAGE_BYTES - ctx->nh_remaining; 281 + bytes = min(len, ctx->nh_remaining); 282 + nh(&key->nh_key[pos / 4], data, bytes, tmp_hash); 283 + for (int i = 0; i < NH_NUM_PASSES; i++) 284 + le64_add_cpu(&ctx->nh_hash[i], 285 + le64_to_cpu(tmp_hash[i])); 286 + ctx->nh_remaining -= bytes; 287 + } 288 + if (ctx->nh_remaining == 0) 289 + process_nh_hash_value(ctx, key); 290 + data += bytes; 291 + len -= bytes; 292 + } while (len); 293 + } 294 + 295 + static void nhpoly1305_init(struct nhpoly1305_ctx *ctx) 296 + { 297 + poly1305_core_init(&ctx->poly_state); 298 + ctx->buflen = 0; 299 + ctx->nh_remaining = 0; 300 + } 301 + 302 + static void nhpoly1305_update(struct nhpoly1305_ctx *ctx, 303 + const struct adiantum_tfm_ctx *key, 304 + const u8 *data, size_t len) 305 + { 306 + unsigned int bytes; 307 + 308 + if (ctx->buflen) { 309 + bytes = min(len, (int)NH_MESSAGE_UNIT - ctx->buflen); 310 + memcpy(&ctx->buffer[ctx->buflen], data, bytes); 311 + ctx->buflen += bytes; 312 + if (ctx->buflen < NH_MESSAGE_UNIT) 313 + return; 314 + nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT); 315 + ctx->buflen = 0; 316 + data += bytes; 317 + len -= bytes; 318 + } 319 + 320 + if (len >= NH_MESSAGE_UNIT) { 321 + bytes = round_down(len, NH_MESSAGE_UNIT); 322 + nhpoly1305_units(ctx, key, data, bytes); 323 + data += bytes; 324 + len -= bytes; 325 + } 326 + 327 + if (len) { 328 + memcpy(ctx->buffer, data, len); 329 + ctx->buflen = len; 330 + } 331 + } 332 + 333 + static void nhpoly1305_final(struct nhpoly1305_ctx *ctx, 334 + const struct adiantum_tfm_ctx *key, le128 *out) 335 + { 336 + if (ctx->buflen) { 337 + memset(&ctx->buffer[ctx->buflen], 0, 338 + NH_MESSAGE_UNIT - ctx->buflen); 339 + nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT); 340 + } 341 + 342 + if (ctx->nh_remaining) 343 + process_nh_hash_value(ctx, key); 344 + 345 + poly1305_core_emit(&ctx->poly_state, NULL, out); 346 + } 347 + 348 + /* 349 + * Hash the left-hand part (the "bulk") of the message as follows: 350 + * 351 + * H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L))) 352 + * 353 + * See section 6.4 of the Adiantum paper. This is an ε-almost-∆-universal 354 + * (ε-∆U) hash function for equal-length inputs over Z/(2^{128}Z), where the "∆" 355 + * operation is addition. It hashes 1024-byte chunks of the input with the NH 356 + * hash function, reducing the input length by 32x. The resulting NH hashes are 357 + * evaluated as a polynomial in GF(2^{130}-5), like in the Poly1305 MAC. Note 358 + * that the polynomial evaluation by itself would suffice to achieve the ε-∆U 359 + * property; NH is used for performance since it's much faster than Poly1305. 360 + */ 361 + static void adiantum_hash_message(struct skcipher_request *req, 362 + struct scatterlist *sgl, unsigned int nents, 363 + le128 *out) 364 + { 365 + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 366 + const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 261 367 struct adiantum_request_ctx *rctx = skcipher_request_ctx(req); 262 368 const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 263 - struct shash_desc *hash_desc = &rctx->u.hash_desc; 264 369 struct sg_mapping_iter miter; 265 370 unsigned int i, n; 266 - int err; 267 371 268 - err = crypto_shash_init(hash_desc); 269 - if (err) 270 - return err; 372 + nhpoly1305_init(&rctx->u.hash_ctx); 271 373 272 374 sg_miter_start(&miter, sgl, nents, SG_MITER_FROM_SG | SG_MITER_ATOMIC); 273 375 for (i = 0; i < bulk_len; i += n) { 274 376 sg_miter_next(&miter); 275 377 n = min_t(unsigned int, miter.length, bulk_len - i); 276 - err = crypto_shash_update(hash_desc, miter.addr, n); 277 - if (err) 278 - break; 378 + nhpoly1305_update(&rctx->u.hash_ctx, tctx, miter.addr, n); 279 379 } 280 380 sg_miter_stop(&miter); 281 - if (err) 282 - return err; 283 381 284 - return crypto_shash_final(hash_desc, (u8 *)digest); 382 + nhpoly1305_final(&rctx->u.hash_ctx, tctx, out); 285 383 } 286 384 287 385 /* Continue Adiantum encryption/decryption after the stream cipher step */ ··· 402 284 struct scatterlist *dst = req->dst; 403 285 const unsigned int dst_nents = sg_nents(dst); 404 286 le128 digest; 405 - int err; 406 287 407 288 /* If decrypting, decrypt C_M with the block cipher to get P_M */ 408 289 if (!rctx->enc) ··· 413 296 * enc: C_R = C_M - H_{K_H}(T, C_L) 414 297 * dec: P_R = P_M - H_{K_H}(T, P_L) 415 298 */ 416 - rctx->u.hash_desc.tfm = tctx->hash; 417 299 le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); 418 300 if (dst_nents == 1 && dst->offset + req->cryptlen <= PAGE_SIZE) { 419 301 /* Fast path for single-page destination */ 420 302 struct page *page = sg_page(dst); 421 303 void *virt = kmap_local_page(page) + dst->offset; 422 304 423 - err = crypto_shash_digest(&rctx->u.hash_desc, virt, bulk_len, 424 - (u8 *)&digest); 425 - if (err) { 426 - kunmap_local(virt); 427 - return err; 428 - } 305 + nhpoly1305_init(&rctx->u.hash_ctx); 306 + nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); 307 + nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest); 429 308 le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); 430 309 memcpy(virt + bulk_len, &rctx->rbuf.bignum, sizeof(le128)); 431 310 flush_dcache_page(page); 432 311 kunmap_local(virt); 433 312 } else { 434 313 /* Slow path that works for any destination scatterlist */ 435 - err = adiantum_hash_message(req, dst, dst_nents, &digest); 436 - if (err) 437 - return err; 314 + adiantum_hash_message(req, dst, dst_nents, &digest); 438 315 le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); 439 316 scatterwalk_map_and_copy(&rctx->rbuf.bignum, dst, 440 317 bulk_len, sizeof(le128), 1); ··· 456 345 const unsigned int src_nents = sg_nents(src); 457 346 unsigned int stream_len; 458 347 le128 digest; 459 - int err; 460 348 461 349 if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE) 462 350 return -EINVAL; ··· 468 358 * dec: C_M = C_R + H_{K_H}(T, C_L) 469 359 */ 470 360 adiantum_hash_header(req); 471 - rctx->u.hash_desc.tfm = tctx->hash; 472 361 if (src_nents == 1 && src->offset + req->cryptlen <= PAGE_SIZE) { 473 362 /* Fast path for single-page source */ 474 363 void *virt = kmap_local_page(sg_page(src)) + src->offset; 475 364 476 - err = crypto_shash_digest(&rctx->u.hash_desc, virt, bulk_len, 477 - (u8 *)&digest); 365 + nhpoly1305_init(&rctx->u.hash_ctx); 366 + nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); 367 + nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest); 478 368 memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128)); 479 369 kunmap_local(virt); 480 370 } else { 481 371 /* Slow path that works for any source scatterlist */ 482 - err = adiantum_hash_message(req, src, src_nents, &digest); 372 + adiantum_hash_message(req, src, src_nents, &digest); 483 373 scatterwalk_map_and_copy(&rctx->rbuf.bignum, src, 484 374 bulk_len, sizeof(le128), 0); 485 375 } 486 - if (err) 487 - return err; 488 376 le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); 489 377 le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); 490 378 ··· 539 431 struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 540 432 struct crypto_skcipher *streamcipher; 541 433 struct crypto_cipher *blockcipher; 542 - struct crypto_shash *hash; 543 - unsigned int subreq_size; 544 434 int err; 545 435 546 436 streamcipher = crypto_spawn_skcipher(&ictx->streamcipher_spawn); ··· 551 445 goto err_free_streamcipher; 552 446 } 553 447 554 - hash = crypto_spawn_shash(&ictx->hash_spawn); 555 - if (IS_ERR(hash)) { 556 - err = PTR_ERR(hash); 557 - goto err_free_blockcipher; 558 - } 559 - 560 448 tctx->streamcipher = streamcipher; 561 449 tctx->blockcipher = blockcipher; 562 - tctx->hash = hash; 563 450 564 451 BUILD_BUG_ON(offsetofend(struct adiantum_request_ctx, u) != 565 452 sizeof(struct adiantum_request_ctx)); 566 - subreq_size = max(sizeof_field(struct adiantum_request_ctx, 567 - u.hash_desc) + 568 - crypto_shash_descsize(hash), 569 - sizeof_field(struct adiantum_request_ctx, 570 - u.streamcipher_req) + 571 - crypto_skcipher_reqsize(streamcipher)); 572 - 573 - crypto_skcipher_set_reqsize(tfm, 574 - offsetof(struct adiantum_request_ctx, u) + 575 - subreq_size); 453 + crypto_skcipher_set_reqsize( 454 + tfm, max(sizeof(struct adiantum_request_ctx), 455 + offsetofend(struct adiantum_request_ctx, 456 + u.streamcipher_req) + 457 + crypto_skcipher_reqsize(streamcipher))); 576 458 return 0; 577 459 578 - err_free_blockcipher: 579 - crypto_free_cipher(blockcipher); 580 460 err_free_streamcipher: 581 461 crypto_free_skcipher(streamcipher); 582 462 return err; ··· 574 482 575 483 crypto_free_skcipher(tctx->streamcipher); 576 484 crypto_free_cipher(tctx->blockcipher); 577 - crypto_free_shash(tctx->hash); 578 485 } 579 486 580 487 static void adiantum_free_instance(struct skcipher_instance *inst) ··· 582 491 583 492 crypto_drop_skcipher(&ictx->streamcipher_spawn); 584 493 crypto_drop_cipher(&ictx->blockcipher_spawn); 585 - crypto_drop_shash(&ictx->hash_spawn); 586 494 kfree(inst); 587 495 } 588 496 ··· 589 499 * Check for a supported set of inner algorithms. 590 500 * See the comment at the beginning of this file. 591 501 */ 592 - static bool adiantum_supported_algorithms(struct skcipher_alg_common *streamcipher_alg, 593 - struct crypto_alg *blockcipher_alg, 594 - struct shash_alg *hash_alg) 502 + static bool 503 + adiantum_supported_algorithms(struct skcipher_alg_common *streamcipher_alg, 504 + struct crypto_alg *blockcipher_alg) 595 505 { 596 506 if (strcmp(streamcipher_alg->base.cra_name, "xchacha12") != 0 && 597 507 strcmp(streamcipher_alg->base.cra_name, "xchacha20") != 0) ··· 603 513 if (blockcipher_alg->cra_blocksize != BLOCKCIPHER_BLOCK_SIZE) 604 514 return false; 605 515 606 - if (strcmp(hash_alg->base.cra_name, "nhpoly1305") != 0) 607 - return false; 608 - 609 516 return true; 610 517 } 611 518 612 519 static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb) 613 520 { 614 521 u32 mask; 615 - const char *nhpoly1305_name; 616 522 struct skcipher_instance *inst; 617 523 struct adiantum_instance_ctx *ictx; 618 524 struct skcipher_alg_common *streamcipher_alg; 619 525 struct crypto_alg *blockcipher_alg; 620 - struct shash_alg *hash_alg; 621 526 int err; 622 527 623 528 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SKCIPHER, &mask); ··· 640 555 goto err_free_inst; 641 556 blockcipher_alg = crypto_spawn_cipher_alg(&ictx->blockcipher_spawn); 642 557 643 - /* NHPoly1305 ε-∆U hash function */ 644 - nhpoly1305_name = crypto_attr_alg_name(tb[3]); 645 - if (nhpoly1305_name == ERR_PTR(-ENOENT)) 646 - nhpoly1305_name = "nhpoly1305"; 647 - err = crypto_grab_shash(&ictx->hash_spawn, 648 - skcipher_crypto_instance(inst), 649 - nhpoly1305_name, 0, mask); 650 - if (err) 558 + /* 559 + * Originally there was an optional third parameter, for requesting a 560 + * specific implementation of "nhpoly1305" for message hashing. This is 561 + * no longer supported. The best implementation is just always used. 562 + */ 563 + if (crypto_attr_alg_name(tb[3]) != ERR_PTR(-ENOENT)) { 564 + err = -ENOENT; 651 565 goto err_free_inst; 652 - hash_alg = crypto_spawn_shash_alg(&ictx->hash_spawn); 566 + } 653 567 654 568 /* Check the set of algorithms */ 655 - if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg, 656 - hash_alg)) { 657 - pr_warn("Unsupported Adiantum instantiation: (%s,%s,%s)\n", 569 + if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg)) { 570 + pr_warn("Unsupported Adiantum instantiation: (%s,%s)\n", 658 571 streamcipher_alg->base.cra_name, 659 - blockcipher_alg->cra_name, hash_alg->base.cra_name); 572 + blockcipher_alg->cra_name); 660 573 err = -EINVAL; 661 574 goto err_free_inst; 662 575 } ··· 667 584 blockcipher_alg->cra_name) >= CRYPTO_MAX_ALG_NAME) 668 585 goto err_free_inst; 669 586 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 670 - "adiantum(%s,%s,%s)", 671 - streamcipher_alg->base.cra_driver_name, 672 - blockcipher_alg->cra_driver_name, 673 - hash_alg->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 587 + "adiantum(%s,%s)", streamcipher_alg->base.cra_driver_name, 588 + blockcipher_alg->cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 674 589 goto err_free_inst; 675 590 676 591 inst->alg.base.cra_blocksize = BLOCKCIPHER_BLOCK_SIZE; ··· 677 596 /* 678 597 * The block cipher is only invoked once per message, so for long 679 598 * messages (e.g. sectors for disk encryption) its performance doesn't 680 - * matter as much as that of the stream cipher and hash function. Thus, 681 - * weigh the block cipher's ->cra_priority less. 599 + * matter as much as that of the stream cipher. Thus, weigh the block 600 + * cipher's ->cra_priority less. 682 601 */ 683 602 inst->alg.base.cra_priority = (4 * streamcipher_alg->base.cra_priority + 684 - 2 * hash_alg->base.cra_priority + 685 - blockcipher_alg->cra_priority) / 7; 603 + blockcipher_alg->cra_priority) / 604 + 5; 686 605 687 606 inst->alg.setkey = adiantum_setkey; 688 607 inst->alg.encrypt = adiantum_encrypt; ··· 703 622 return err; 704 623 } 705 624 706 - /* adiantum(streamcipher_name, blockcipher_name [, nhpoly1305_name]) */ 625 + /* adiantum(streamcipher_name, blockcipher_name) */ 707 626 static struct crypto_template adiantum_tmpl = { 708 627 .name = "adiantum", 709 628 .create = adiantum_create,

+2 -2

crypto/testmgr.c

··· 4061 4061 static const struct alg_test_desc alg_test_descs[] = { 4062 4062 { 4063 4063 .alg = "adiantum(xchacha12,aes)", 4064 - .generic_driver = "adiantum(xchacha12-lib,aes-generic,nhpoly1305-generic)", 4064 + .generic_driver = "adiantum(xchacha12-lib,aes-generic)", 4065 4065 .test = alg_test_skcipher, 4066 4066 .suite = { 4067 4067 .cipher = __VECS(adiantum_xchacha12_aes_tv_template) 4068 4068 }, 4069 4069 }, { 4070 4070 .alg = "adiantum(xchacha20,aes)", 4071 - .generic_driver = "adiantum(xchacha20-lib,aes-generic,nhpoly1305-generic)", 4071 + .generic_driver = "adiantum(xchacha20-lib,aes-generic)", 4072 4072 .test = alg_test_skcipher, 4073 4073 .suite = { 4074 4074 .cipher = __VECS(adiantum_xchacha20_aes_tv_template)

Configure Feed

Configure Feed