[PATCH 00/12] NH library and Adiantum cleanup

[PATCH 00/12] NH library and Adiantum cleanup

[Eric Biggers]

This series can also be retrieved from:

    git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git nh-lib-v1

This series removes the nhpoly1305 crypto_shash algorithm, which existed
only to fit Adiantum hashing into the traditional Linux crypto API
paradigm.  It replaces it with an nh() library function, combined with
code in the "adiantum" template that handles the Poly1305 step.

The result is simpler code.  As usual, I've also fixed the issue where
the architecture-optimized code was disabled by default.

I've also included some additional cleanups for the Adiantum code.

I'm planning to take this via libcrypto-next.

Eric Biggers (12):
  lib/crypto: nh: Add NH library
  lib/crypto: tests: Add KUnit tests for NH
  lib/crypto: arm/nh: Migrate optimized code into library
  lib/crypto: arm64/nh: Migrate optimized code into library
  lib/crypto: x86/nh: Migrate optimized code into library
  crypto: adiantum - Convert to use NH library
  crypto: adiantum - Use scatter_walk API instead of sg_miter
  crypto: adiantum - Use memcpy_{to,from}_sglist()
  crypto: adiantum - Drop support for asynchronous xchacha ciphers
  crypto: nhpoly1305 - Remove crypto_shash support
  crypto: testmgr - Remove nhpoly1305 tests
  fscrypt: Drop obsolete recommendation to enable optimized NHPoly1305

 Documentation/filesystems/fscrypt.rst         |    5 -
 arch/arm/crypto/Kconfig                       |   10 -
 arch/arm/crypto/Makefile                      |    2 -
 arch/arm/crypto/nhpoly1305-neon-glue.c        |   80 -
 arch/arm64/crypto/Kconfig                     |   10 -
 arch/arm64/crypto/Makefile                    |    3 -
 arch/arm64/crypto/nhpoly1305-neon-glue.c      |   79 -
 arch/x86/crypto/Kconfig                       |   20 -
 arch/x86/crypto/Makefile                      |    5 -
 arch/x86/crypto/nhpoly1305-avx2-glue.c        |   81 -
 arch/x86/crypto/nhpoly1305-sse2-glue.c        |   80 -
 crypto/Kconfig                                |    8 +-
 crypto/Makefile                               |    1 -
 crypto/adiantum.c                             |  442 +++---
 crypto/nhpoly1305.c                           |  255 ---
 crypto/testmgr.c                              |   10 +-
 crypto/testmgr.h                              | 1372 -----------------
 include/crypto/nh.h                           |   52 +
 include/crypto/nhpoly1305.h                   |   74 -
 lib/crypto/Kconfig                            |   13 +
 lib/crypto/Makefile                           |   11 +
 .../crypto => lib/crypto/arm}/nh-neon-core.S  |    0
 lib/crypto/arm/nh.h                           |   33 +
 .../crypto/arm64}/nh-neon-core.S              |    3 +-
 lib/crypto/arm64/nh.h                         |   34 +
 lib/crypto/nh.c                               |   82 +
 lib/crypto/tests/Kconfig                      |    8 +
 lib/crypto/tests/Makefile                     |    1 +
 lib/crypto/tests/nh-testvecs.h                |  298 ++++
 lib/crypto/tests/nh_kunit.c                   |   43 +
 .../crypto/x86/nh-avx2.S                      |    3 +-
 .../crypto/x86/nh-sse2.S                      |    3 +-
 lib/crypto/x86/nh.h                           |   45 +
 scripts/crypto/gen-hash-testvecs.py           |   40 +
 34 files changed, 909 insertions(+), 2297 deletions(-)
 delete mode 100644 arch/arm/crypto/nhpoly1305-neon-glue.c
 delete mode 100644 arch/arm64/crypto/nhpoly1305-neon-glue.c
 delete mode 100644 arch/x86/crypto/nhpoly1305-avx2-glue.c
 delete mode 100644 arch/x86/crypto/nhpoly1305-sse2-glue.c
 delete mode 100644 crypto/nhpoly1305.c
 create mode 100644 include/crypto/nh.h
 delete mode 100644 include/crypto/nhpoly1305.h
 rename {arch/arm/crypto => lib/crypto/arm}/nh-neon-core.S (100%)
 create mode 100644 lib/crypto/arm/nh.h
 rename {arch/arm64/crypto => lib/crypto/arm64}/nh-neon-core.S (97%)
 create mode 100644 lib/crypto/arm64/nh.h
 create mode 100644 lib/crypto/nh.c
 create mode 100644 lib/crypto/tests/nh-testvecs.h
 create mode 100644 lib/crypto/tests/nh_kunit.c
 rename arch/x86/crypto/nh-avx2-x86_64.S => lib/crypto/x86/nh-avx2.S (98%)
 rename arch/x86/crypto/nh-sse2-x86_64.S => lib/crypto/x86/nh-sse2.S (97%)
 create mode 100644 lib/crypto/x86/nh.h


base-commit: 0914d5848096af6496c7aa5e1ac051fcdb3f755b
-- 
2.52.0

[PATCH 01/12] lib/crypto: nh: Add NH library

[Eric Biggers]

Add support for the NH "almost-universal hash function" to lib/crypto/,
specifically the variant of NH used in Adiantum.

This will replace the need for the "nhpoly1305" crypto_shash algorithm.
All the implementations of "nhpoly1305" use architecture-optimized code
only for the NH stage; they just use the generic C Poly1305 code for the
Poly1305 stage.  We can achieve the same result in a simpler way using
an (architecture-optimized) nh() function combined with code in
crypto/adiantum.c that passes the results to the Poly1305 library.

This commit begins this cleanup by adding the nh() function.  The code
is derived from crypto/nhpoly1305.c and include/crypto/nhpoly1305.h.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 include/crypto/nh.h | 52 ++++++++++++++++++++++++++++
 lib/crypto/Kconfig  | 10 ++++++
 lib/crypto/Makefile |  8 +++++
 lib/crypto/nh.c     | 82 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 152 insertions(+)
 create mode 100644 include/crypto/nh.h
 create mode 100644 lib/crypto/nh.c

diff --git a/include/crypto/nh.h b/include/crypto/nh.h
new file mode 100644
index 000000000000..465e85bf203f
--- /dev/null
+++ b/include/crypto/nh.h
@@ -0,0 +1,52 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * NH hash function for Adiantum
+ */
+
+#ifndef _CRYPTO_NH_H
+#define _CRYPTO_NH_H
+
+#include <linux/types.h>
+
+/* NH parameterization: */
+
+/* Endianness: little */
+/* Word size: 32 bits (works well on NEON, SSE2, AVX2) */
+
+/* Stride: 2 words (optimal on ARM32 NEON; works okay on other CPUs too) */
+#define NH_PAIR_STRIDE		2
+#define NH_MESSAGE_UNIT		(NH_PAIR_STRIDE * 2 * sizeof(u32))
+
+/* Num passes (Toeplitz iteration count): 4, to give ε = 2^{-128} */
+#define NH_NUM_PASSES		4
+#define NH_HASH_BYTES		(NH_NUM_PASSES * sizeof(u64))
+
+/* Max message size: 1024 bytes (32x compression factor) */
+#define NH_NUM_STRIDES		64
+#define NH_MESSAGE_WORDS	(NH_PAIR_STRIDE * 2 * NH_NUM_STRIDES)
+#define NH_MESSAGE_BYTES	(NH_MESSAGE_WORDS * sizeof(u32))
+#define NH_KEY_WORDS		(NH_MESSAGE_WORDS + \
+				 NH_PAIR_STRIDE * 2 * (NH_NUM_PASSES - 1))
+#define NH_KEY_BYTES		(NH_KEY_WORDS * sizeof(u32))
+
+/**
+ * nh() - NH hash function for Adiantum
+ * @key: The key.  @message_len + 48 bytes of it are used.  This is NH_KEY_BYTES
+ *	 if @message_len has its maximum length of NH_MESSAGE_BYTES.
+ * @message: The message
+ * @message_len: The message length in bytes.  Must be a multiple of 16
+ *		 (NH_MESSAGE_UNIT) and at most 1024 (NH_MESSAGE_BYTES).
+ * @hash: (output) The resulting hash value
+ *
+ * Note: the pseudocode for NH in the Adiantum paper iterates over 1024-byte
+ * segments of the message, computes a 32-byte hash for each, and returns all
+ * the hashes concatenated together.  In contrast, this function just hashes one
+ * segment and returns one hash.  It's the caller's responsibility to call this
+ * function for each 1024-byte segment and collect all the hashes.
+ *
+ * Context: Any context.
+ */
+void nh(const u32 *key, const u8 *message, size_t message_len,
+	__le64 hash[NH_NUM_PASSES]);
+
+#endif /* _CRYPTO_NH_H */
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index ee6ab129d0cf..f14c9f5974d8 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -106,10 +106,20 @@ config CRYPTO_LIB_MLDSA
 	select CRYPTO_LIB_SHA3
 	help
 	  The ML-DSA library functions.  Select this if your module uses any of
 	  the functions from <crypto/mldsa.h>.
 
+config CRYPTO_LIB_NH
+	tristate
+	help
+	  Implementation of the NH almost-universal hash function, specifically
+	  the variant of NH used in Adiantum.
+
+config CRYPTO_LIB_NH_ARCH
+	bool
+	depends on CRYPTO_LIB_NH && !UML
+
 config CRYPTO_LIB_POLY1305
 	tristate
 	help
 	  The Poly1305 library functions.  Select this if your module uses any
 	  of the functions from <crypto/poly1305.h>.
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index a0578105266f..929b84568809 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -129,10 +129,18 @@ endif # CONFIG_CRYPTO_LIB_MD5_ARCH
 obj-$(CONFIG_CRYPTO_LIB_MLDSA) += libmldsa.o
 libmldsa-y := mldsa.o
 
 ################################################################################
 
+obj-$(CONFIG_CRYPTO_LIB_NH) += libnh.o
+libnh-y := nh.o
+ifeq ($(CONFIG_CRYPTO_LIB_NH_ARCH),y)
+CFLAGS_nh.o += -I$(src)/$(SRCARCH)
+endif
+
+################################################################################
+
 obj-$(CONFIG_CRYPTO_LIB_POLY1305) += libpoly1305.o
 libpoly1305-y := poly1305.o
 ifeq ($(CONFIG_ARCH_SUPPORTS_INT128),y)
 libpoly1305-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) += poly1305-donna64.o
 else
diff --git a/lib/crypto/nh.c b/lib/crypto/nh.c
new file mode 100644
index 000000000000..e1d0095b5289
--- /dev/null
+++ b/lib/crypto/nh.c
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright 2018 Google LLC
+ */
+
+/*
+ * Implementation of the NH almost-universal hash function, specifically the
+ * variant of NH used in Adiantum.  This is *not* a cryptographic hash function.
+ *
+ * Reference: section 6.3 of "Adiantum: length-preserving encryption for
+ * entry-level processors" (https://eprint.iacr.org/2018/720.pdf).
+ */
+
+#include <crypto/nh.h>
+#include <linux/export.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/unaligned.h>
+
+#ifdef CONFIG_CRYPTO_LIB_NH_ARCH
+#include "nh.h" /* $(SRCARCH)/nh.h */
+#else
+static bool nh_arch(const u32 *key, const u8 *message, size_t message_len,
+		    __le64 hash[NH_NUM_PASSES])
+{
+	return false;
+}
+#endif
+
+void nh(const u32 *key, const u8 *message, size_t message_len,
+	__le64 hash[NH_NUM_PASSES])
+{
+	u64 sums[4] = { 0, 0, 0, 0 };
+
+	if (nh_arch(key, message, message_len, hash))
+		return;
+
+	static_assert(NH_PAIR_STRIDE == 2);
+	static_assert(NH_NUM_PASSES == 4);
+
+	while (message_len) {
+		u32 m0 = get_unaligned_le32(message + 0);
+		u32 m1 = get_unaligned_le32(message + 4);
+		u32 m2 = get_unaligned_le32(message + 8);
+		u32 m3 = get_unaligned_le32(message + 12);
+
+		sums[0] += (u64)(u32)(m0 + key[0]) * (u32)(m2 + key[2]);
+		sums[1] += (u64)(u32)(m0 + key[4]) * (u32)(m2 + key[6]);
+		sums[2] += (u64)(u32)(m0 + key[8]) * (u32)(m2 + key[10]);
+		sums[3] += (u64)(u32)(m0 + key[12]) * (u32)(m2 + key[14]);
+		sums[0] += (u64)(u32)(m1 + key[1]) * (u32)(m3 + key[3]);
+		sums[1] += (u64)(u32)(m1 + key[5]) * (u32)(m3 + key[7]);
+		sums[2] += (u64)(u32)(m1 + key[9]) * (u32)(m3 + key[11]);
+		sums[3] += (u64)(u32)(m1 + key[13]) * (u32)(m3 + key[15]);
+		key += NH_MESSAGE_UNIT / sizeof(key[0]);
+		message += NH_MESSAGE_UNIT;
+		message_len -= NH_MESSAGE_UNIT;
+	}
+
+	hash[0] = cpu_to_le64(sums[0]);
+	hash[1] = cpu_to_le64(sums[1]);
+	hash[2] = cpu_to_le64(sums[2]);
+	hash[3] = cpu_to_le64(sums[3]);
+}
+EXPORT_SYMBOL_GPL(nh);
+
+#ifdef nh_mod_init_arch
+static int __init nh_mod_init(void)
+{
+	nh_mod_init_arch();
+	return 0;
+}
+subsys_initcall(nh_mod_init);
+
+static void __exit nh_mod_exit(void)
+{
+}
+module_exit(nh_mod_exit);
+#endif
+
+MODULE_DESCRIPTION("NH almost-universal hash function");
+MODULE_LICENSE("GPL");
-- 
2.52.0

[PATCH 02/12] lib/crypto: tests: Add KUnit tests for NH

[Eric Biggers]

Add some simple KUnit tests for the nh() function.

These replace the test coverage which will be lost by removing the
nhpoly1305 crypto_shash.

Note that the NH code also continues to be tested indirectly as well,
via the tests for the "adiantum(xchacha12,aes)" crypto_skcipher.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 lib/crypto/tests/Kconfig            |   8 +
 lib/crypto/tests/Makefile           |   1 +
 lib/crypto/tests/nh-testvecs.h      | 298 ++++++++++++++++++++++++++++
 lib/crypto/tests/nh_kunit.c         |  43 ++++
 scripts/crypto/gen-hash-testvecs.py |  40 ++++
 5 files changed, 390 insertions(+)
 create mode 100644 lib/crypto/tests/nh-testvecs.h
 create mode 100644 lib/crypto/tests/nh_kunit.c

diff --git a/lib/crypto/tests/Kconfig b/lib/crypto/tests/Kconfig
index c9165c14fc46..4970463ea0aa 100644
--- a/lib/crypto/tests/Kconfig
+++ b/lib/crypto/tests/Kconfig
@@ -45,10 +45,18 @@ config CRYPTO_LIB_MLDSA_KUNIT_TEST
 	select CRYPTO_LIB_BENCHMARK_VISIBLE
 	select CRYPTO_LIB_MLDSA
 	help
 	  KUnit tests for the ML-DSA digital signature algorithm.
 
+config CRYPTO_LIB_NH_KUNIT_TEST
+	tristate "KUnit tests for NH" if !KUNIT_ALL_TESTS
+	depends on KUNIT
+	default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS
+	select CRYPTO_LIB_NH
+	help
+	  KUnit tests for the NH almost-universal hash function.
+
 config CRYPTO_LIB_POLY1305_KUNIT_TEST
 	tristate "KUnit tests for Poly1305" if !KUNIT_ALL_TESTS
 	depends on KUNIT
 	default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS
 	select CRYPTO_LIB_BENCHMARK_VISIBLE
diff --git a/lib/crypto/tests/Makefile b/lib/crypto/tests/Makefile
index 3dde0b40b2c5..f4262379f56c 100644
--- a/lib/crypto/tests/Makefile
+++ b/lib/crypto/tests/Makefile
@@ -3,10 +3,11 @@
 obj-$(CONFIG_CRYPTO_LIB_BLAKE2B_KUNIT_TEST) += blake2b_kunit.o
 obj-$(CONFIG_CRYPTO_LIB_BLAKE2S_KUNIT_TEST) += blake2s_kunit.o
 obj-$(CONFIG_CRYPTO_LIB_CURVE25519_KUNIT_TEST) += curve25519_kunit.o
 obj-$(CONFIG_CRYPTO_LIB_MD5_KUNIT_TEST) += md5_kunit.o
 obj-$(CONFIG_CRYPTO_LIB_MLDSA_KUNIT_TEST) += mldsa_kunit.o
+obj-$(CONFIG_CRYPTO_LIB_NH_KUNIT_TEST) += nh_kunit.o
 obj-$(CONFIG_CRYPTO_LIB_POLY1305_KUNIT_TEST) += poly1305_kunit.o
 obj-$(CONFIG_CRYPTO_LIB_POLYVAL_KUNIT_TEST) += polyval_kunit.o
 obj-$(CONFIG_CRYPTO_LIB_SHA1_KUNIT_TEST) += sha1_kunit.o
 obj-$(CONFIG_CRYPTO_LIB_SHA256_KUNIT_TEST) += sha224_kunit.o sha256_kunit.o
 obj-$(CONFIG_CRYPTO_LIB_SHA512_KUNIT_TEST) += sha384_kunit.o sha512_kunit.o
diff --git a/lib/crypto/tests/nh-testvecs.h b/lib/crypto/tests/nh-testvecs.h
new file mode 100644
index 000000000000..b393e1f90f31
--- /dev/null
+++ b/lib/crypto/tests/nh-testvecs.h
@@ -0,0 +1,298 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/* This file was generated by: ./scripts/crypto/gen-hash-testvecs.py nh */
+
+static const u8 nh_test_key[NH_KEY_BYTES] = {
+	0x04, 0x59, 0x66, 0x92, 0x81, 0xd7, 0xe9, 0x25,
+	0x68, 0xfa, 0xb0, 0xca, 0x9f, 0xea, 0x98, 0xca,
+	0xcd, 0xbf, 0x6d, 0xa5, 0x0c, 0x22, 0xc3, 0x57,
+	0xdc, 0x35, 0x05, 0xdd, 0x5b, 0xb0, 0xce, 0xf6,
+	0xb2, 0x4c, 0x77, 0x2e, 0xd2, 0x63, 0xf0, 0x17,
+	0x60, 0xd8, 0xd3, 0xd9, 0xed, 0x34, 0xb6, 0xed,
+	0x6a, 0x11, 0xc0, 0x25, 0xda, 0xba, 0x7e, 0xef,
+	0x49, 0x13, 0xf7, 0xd9, 0xfc, 0xb6, 0xfd, 0x58,
+	0xe9, 0x5f, 0xc5, 0xc4, 0x69, 0x89, 0xba, 0xa6,
+	0x2b, 0x58, 0x8d, 0x36, 0x6c, 0xb9, 0x90, 0x1e,
+	0x64, 0xc7, 0x44, 0x84, 0x03, 0x70, 0x30, 0x47,
+	0xdd, 0x58, 0xf4, 0x87, 0x61, 0xfd, 0x9c, 0x6b,
+	0x51, 0x1b, 0x39, 0x1d, 0x6d, 0x50, 0xae, 0x19,
+	0x71, 0x03, 0xc7, 0xa7, 0x42, 0x82, 0x8f, 0xa5,
+	0x63, 0x6a, 0xe2, 0x8a, 0xad, 0x4b, 0x40, 0xa7,
+	0x3f, 0x8b, 0xe4, 0xae, 0xb2, 0x8a, 0x14, 0x78,
+	0x91, 0x07, 0xba, 0x02, 0x08, 0xc1, 0x34, 0xb8,
+	0xda, 0x61, 0x67, 0xf6, 0x98, 0x97, 0x1a, 0xcb,
+	0x0f, 0x82, 0x80, 0xff, 0x02, 0x54, 0x16, 0x57,
+	0x18, 0x35, 0xaf, 0x16, 0x17, 0x68, 0xcc, 0xc7,
+	0x52, 0xac, 0x31, 0x39, 0x60, 0xe4, 0xb4, 0xcb,
+	0x0e, 0xf9, 0x57, 0xe9, 0x96, 0xff, 0x99, 0xd6,
+	0x10, 0x96, 0x09, 0xab, 0x28, 0x92, 0x1b, 0x9f,
+	0x10, 0xde, 0x3e, 0x87, 0xb8, 0x9d, 0x2d, 0xa0,
+	0x3c, 0x91, 0x85, 0x8c, 0x9e, 0xc0, 0x97, 0x9a,
+	0xb4, 0x54, 0x7f, 0x4a, 0x63, 0xc2, 0x75, 0x0f,
+	0x0d, 0x2f, 0x62, 0x56, 0x48, 0x0e, 0xb6, 0xc7,
+	0xcf, 0x0d, 0x78, 0xca, 0xbd, 0x31, 0x9e, 0x4c,
+	0xf7, 0x3f, 0x9e, 0xc2, 0xea, 0x5e, 0x44, 0x6d,
+	0x76, 0xf9, 0xc5, 0xe0, 0x29, 0xea, 0x15, 0xbf,
+	0xaf, 0xd4, 0x75, 0xc8, 0x89, 0xcf, 0x4f, 0x17,
+	0xfd, 0x4a, 0x45, 0xa5, 0x4d, 0x2d, 0x87, 0x11,
+	0x2b, 0x3e, 0x64, 0xa2, 0x6b, 0xc5, 0x23, 0x8c,
+	0xfa, 0x71, 0x13, 0x72, 0x0e, 0x7c, 0xe1, 0x2c,
+	0x9f, 0x0e, 0x29, 0xc9, 0x15, 0xde, 0x4e, 0xd7,
+	0x42, 0x1f, 0x8e, 0xe1, 0x91, 0x99, 0x50, 0x38,
+	0x7f, 0x15, 0xc0, 0xf6, 0x4b, 0xfd, 0x9d, 0x40,
+	0xe9, 0x44, 0x51, 0xca, 0x3b, 0x83, 0x41, 0x9f,
+	0x82, 0x64, 0x66, 0x22, 0x12, 0x43, 0x1c, 0x4f,
+	0x45, 0x11, 0x3a, 0x46, 0xb1, 0x7c, 0x62, 0x0a,
+	0x9d, 0x4c, 0x99, 0x85, 0xb0, 0x10, 0x19, 0xcf,
+	0xeb, 0xf9, 0x65, 0xaf, 0xd8, 0x05, 0x9e, 0x61,
+	0x03, 0x5f, 0x15, 0x99, 0xa9, 0x05, 0x20, 0xc8,
+	0xaf, 0xab, 0x31, 0x9d, 0xd5, 0xdf, 0x24, 0xce,
+	0x2b, 0x6d, 0xd7, 0x17, 0xc3, 0x04, 0xff, 0x82,
+	0xa7, 0x18, 0x39, 0xe9, 0x0d, 0x0a, 0x5f, 0xb9,
+	0xc9, 0x86, 0x1d, 0xf8, 0x02, 0x2d, 0xc3, 0x88,
+	0x28, 0x73, 0x5c, 0xac, 0x25, 0xc9, 0xfe, 0xcb,
+	0xd2, 0xfd, 0x63, 0x74, 0xac, 0xe1, 0xb8, 0xa2,
+	0xc6, 0x2b, 0xb5, 0x40, 0x01, 0x9b, 0xed, 0xee,
+	0x7b, 0x63, 0x66, 0x05, 0x45, 0xc2, 0x6c, 0xd8,
+	0x58, 0xf1, 0xa1, 0x3d, 0xc8, 0x43, 0x59, 0x4b,
+	0x39, 0x87, 0x24, 0x64, 0x92, 0xb0, 0xab, 0x75,
+	0xf1, 0xb7, 0xbf, 0x7c, 0xde, 0xc0, 0xaf, 0x4a,
+	0xc2, 0x7b, 0xd9, 0x8a, 0x99, 0xcd, 0x83, 0x01,
+	0xe6, 0xae, 0xeb, 0x16, 0xe7, 0x54, 0x9c, 0x95,
+	0x0a, 0x91, 0x02, 0xaf, 0x9f, 0x79, 0x40, 0x45,
+	0xce, 0x47, 0x41, 0x65, 0xca, 0x80, 0x0d, 0x14,
+	0x46, 0x58, 0x5d, 0x4d, 0x28, 0x55, 0x70, 0x49,
+	0x7c, 0x32, 0x1f, 0x01, 0xaa, 0x05, 0x2f, 0xf1,
+	0xeb, 0xa3, 0xe6, 0x1d, 0xf9, 0x43, 0xe0, 0x58,
+	0x05, 0x61, 0x22, 0xc3, 0xee, 0xe4, 0x6f, 0x94,
+	0xaf, 0x82, 0xda, 0x18, 0x18, 0x63, 0x9c, 0xfa,
+	0xc0, 0x04, 0x27, 0xc5, 0x39, 0x5e, 0x7a, 0xa6,
+	0x85, 0x46, 0xb7, 0x76, 0xc9, 0x16, 0xf2, 0xf8,
+	0x40, 0x8d, 0x4b, 0x5e, 0x72, 0xf3, 0x3e, 0x12,
+	0xa4, 0x80, 0x39, 0xb2, 0x92, 0xfe, 0x6e, 0x5b,
+	0x5b, 0xad, 0xea, 0x29, 0xbc, 0x66, 0xe6, 0xfe,
+	0x80, 0x02, 0x5d, 0x83, 0x37, 0xfc, 0xde, 0x6c,
+	0x25, 0x54, 0xa2, 0xff, 0x7d, 0xb6, 0xe1, 0xd6,
+	0xcf, 0xdb, 0x60, 0xe3, 0xbe, 0x2f, 0x4e, 0xb4,
+	0xf5, 0xb4, 0x51, 0xf7, 0x5a, 0x25, 0xda, 0x40,
+	0x84, 0x5e, 0xc0, 0x0a, 0x6b, 0xfa, 0x0c, 0xfb,
+	0x5e, 0x3e, 0x12, 0x6c, 0x39, 0x35, 0xc0, 0x28,
+	0xd6, 0x1b, 0x3a, 0x72, 0xc3, 0xfe, 0xa5, 0x4c,
+	0x35, 0xa2, 0x42, 0xf6, 0x3d, 0xa5, 0xbf, 0xb5,
+	0x39, 0xe3, 0xc9, 0xd5, 0x8c, 0x1b, 0xe5, 0xef,
+	0x91, 0xd2, 0x80, 0x6f, 0xcc, 0x77, 0x44, 0x50,
+	0x62, 0xc7, 0xac, 0x29, 0xcb, 0x72, 0xda, 0x6d,
+	0xc5, 0xfe, 0xa7, 0xee, 0x8b, 0xeb, 0xfc, 0xa3,
+	0x46, 0x18, 0x5f, 0xaa, 0xc3, 0x65, 0xd0, 0x8f,
+	0x67, 0x98, 0xd6, 0xce, 0x5f, 0x84, 0xd4, 0x96,
+	0x1b, 0x67, 0xa0, 0xcf, 0xfc, 0x94, 0x55, 0x5e,
+	0x4b, 0x51, 0x68, 0xa7, 0x6d, 0x02, 0xf9, 0x53,
+	0x54, 0x86, 0x6b, 0x53, 0x39, 0xe0, 0x36, 0x23,
+	0x87, 0x1a, 0xfb, 0x53, 0x1a, 0x65, 0xd8, 0x42,
+	0xa8, 0x85, 0xfd, 0x2c, 0x7f, 0x6b, 0x7f, 0x67,
+	0x70, 0x23, 0x6c, 0xe9, 0x0b, 0xf0, 0x1e, 0x0d,
+	0x0b, 0xb4, 0xd4, 0x96, 0x14, 0x95, 0x7e, 0xf3,
+	0x9b, 0xdd, 0xd7, 0xc4, 0x24, 0x22, 0xb9, 0x9d,
+	0xb3, 0xa6, 0xac, 0x09, 0x7c, 0x00, 0xbf, 0xd0,
+	0xdc, 0xfb, 0x9b, 0x7c, 0x8c, 0xbd, 0xd4, 0x1a,
+	0x13, 0x2b, 0x82, 0x3d, 0x7c, 0x8c, 0x10, 0x47,
+	0x49, 0x6c, 0x53, 0xeb, 0xa7, 0xc2, 0xde, 0xed,
+	0xe2, 0x55, 0x93, 0x2c, 0x1a, 0x5a, 0x7d, 0xe1,
+	0x37, 0x62, 0xdd, 0x29, 0x1a, 0x72, 0x82, 0xc0,
+	0x14, 0x73, 0x5d, 0x0e, 0x9b, 0xcc, 0x54, 0x68,
+	0x3a, 0x4d, 0x56, 0x8f, 0xc9, 0x4e, 0xaf, 0x7b,
+	0xde, 0x17, 0x9c, 0x5e, 0x83, 0x82, 0x22, 0xe3,
+	0x28, 0xdf, 0x1b, 0xb6, 0xdb, 0x17, 0x90, 0x48,
+	0xb5, 0x13, 0x4e, 0xd3, 0x97, 0x5e, 0xb3, 0x9c,
+	0x16, 0x08, 0xc8, 0x77, 0xb3, 0xcd, 0x94, 0x90,
+	0x4f, 0x77, 0xaf, 0x67, 0xdd, 0x80, 0x15, 0x1c,
+	0x59, 0xfb, 0x3c, 0xec, 0xf8, 0xb3, 0x67, 0xfb,
+	0xa0, 0x94, 0x3c, 0x53, 0x99, 0x49, 0x94, 0x2c,
+	0x85, 0x26, 0x92, 0x6d, 0x8d, 0x48, 0xf6, 0x72,
+	0xdd, 0xfb, 0xb2, 0x10, 0x51, 0x5b, 0xbe, 0xd5,
+	0x70, 0x3d, 0x28, 0x94, 0x98, 0x4f, 0x6e, 0x20,
+	0x7b, 0x7d, 0x0f, 0x56, 0xc9, 0x96, 0x5f, 0x60,
+	0x2e, 0x2f, 0x9b, 0x38, 0x7f, 0xc7, 0x3c, 0x6b,
+	0x2f, 0x2b, 0x8f, 0x1f, 0x07, 0x1c, 0x85, 0x57,
+	0x16, 0x2e, 0xc7, 0x74, 0xe5, 0xf2, 0x0d, 0xfe,
+	0xef, 0x57, 0xb0, 0xa4, 0x4f, 0x4c, 0x7d, 0x81,
+	0xbb, 0xaa, 0xcb, 0xa0, 0xb0, 0x51, 0xcf, 0xc2,
+	0xee, 0x90, 0x2e, 0x5e, 0x27, 0xca, 0xd3, 0xe8,
+	0xf3, 0x55, 0x02, 0x56, 0x06, 0xa5, 0xad, 0xdf,
+	0xa3, 0xa9, 0x06, 0x05, 0x53, 0x74, 0x55, 0xd5,
+	0xd2, 0x20, 0x0a, 0x6d, 0x4a, 0xef, 0x16, 0xbf,
+	0xc3, 0xb2, 0x75, 0x93, 0xd8, 0x6e, 0x0f, 0xd2,
+	0xae, 0x3b, 0xc0, 0x00, 0x22, 0x6f, 0xb5, 0x0a,
+	0x41, 0xfc, 0xf9, 0x41, 0xfc, 0x16, 0x4f, 0xa6,
+	0x1c, 0x18, 0x41, 0x67, 0x73, 0xa8, 0x79, 0xa9,
+	0x54, 0x18, 0x4e, 0x88, 0x44, 0x0f, 0xa1, 0x5b,
+	0xf0, 0x68, 0xea, 0x3c, 0x62, 0x59, 0x8d, 0xc7,
+	0x6f, 0xd7, 0x72, 0x20, 0x74, 0x39, 0xd4, 0x3a,
+	0x41, 0x1b, 0x58, 0x57, 0x54, 0x85, 0x60, 0xca,
+	0x49, 0x4b, 0xa1, 0x04, 0x91, 0xb6, 0xf2, 0xcd,
+	0x62, 0x63, 0x67, 0xd1, 0xee, 0x6b, 0x9e, 0x5d,
+	0xd6, 0xc4, 0x58, 0x6b, 0xe1, 0xe6, 0x4a, 0xdb,
+	0xe8, 0xb1, 0x35, 0x03, 0x15, 0x8d, 0x34, 0x69,
+	0x4c, 0xd2, 0x54, 0xce, 0xe8, 0x6a, 0x69, 0x6f,
+	0xaa, 0xb5, 0x1f, 0x86, 0xed, 0xac, 0x4f, 0x16,
+	0x1e, 0x48, 0x93, 0xe8, 0x6c, 0x24, 0x1c, 0xd0,
+	0xbb, 0x61, 0xc2, 0x34, 0xdd, 0xc9, 0x5c, 0xce,
+};
+
+static const u8 nh_test_msg[NH_MESSAGE_BYTES] = {
+	0x99, 0x57, 0x61, 0x41, 0xad, 0x08, 0x7e, 0x17,
+	0xd4, 0xef, 0x0b, 0x23, 0xff, 0x0b, 0x96, 0x0a,
+	0x6c, 0x98, 0xac, 0x78, 0x5e, 0xb6, 0xb2, 0x67,
+	0x0f, 0x48, 0xf4, 0xa1, 0xe5, 0x1e, 0xfe, 0x83,
+	0xe4, 0x56, 0x2a, 0x03, 0x64, 0xff, 0x7a, 0xf3,
+	0x03, 0xfe, 0xa7, 0x86, 0xdc, 0x35, 0x79, 0x13,
+	0xf8, 0xe1, 0x59, 0x19, 0x04, 0x43, 0x24, 0x82,
+	0x44, 0x82, 0x41, 0x2b, 0xc7, 0xcf, 0xf5, 0xa4,
+	0xdc, 0xca, 0xf5, 0x34, 0xc4, 0x23, 0x3c, 0x1f,
+	0xa8, 0x84, 0x1f, 0x2a, 0xcd, 0xae, 0x9d, 0x5e,
+	0x05, 0xe2, 0xfb, 0x0c, 0x68, 0x81, 0x90, 0x11,
+	0x44, 0xf6, 0xdd, 0x5b, 0x51, 0xd3, 0xe0, 0xab,
+	0x29, 0x3a, 0xa9, 0x9c, 0xf6, 0x7e, 0x2d, 0xe3,
+	0x6c, 0x09, 0x59, 0xd7, 0xfa, 0x7f, 0x6a, 0x33,
+	0x3b, 0x23, 0x7b, 0x1b, 0xb2, 0x79, 0x5f, 0x5c,
+	0xb6, 0x2d, 0xb0, 0xf8, 0xab, 0x33, 0x28, 0xe0,
+	0x72, 0x2e, 0x2f, 0x03, 0x22, 0x16, 0xb4, 0x87,
+	0xf7, 0x14, 0x3f, 0x55, 0x8a, 0xb0, 0x47, 0xdb,
+	0x42, 0x2d, 0xc0, 0x0c, 0x0a, 0x33, 0xf8, 0xab,
+	0x44, 0xae, 0xa3, 0xc9, 0xfc, 0xf6, 0x34, 0x8c,
+	0x60, 0x30, 0x6d, 0x31, 0x70, 0xf3, 0x39, 0x53,
+	0xf1, 0x2d, 0xb9, 0x6c, 0xa6, 0x48, 0x9c, 0x9c,
+	0xc2, 0x88, 0xb3, 0xa9, 0x98, 0xb6, 0xc3, 0x47,
+	0x94, 0x02, 0x9d, 0x98, 0x6e, 0x25, 0x6c, 0xf5,
+	0x9b, 0xc6, 0x4d, 0xee, 0x07, 0x1e, 0x25, 0x8f,
+	0x01, 0xde, 0xad, 0xe5, 0x77, 0x4f, 0xd1, 0xc0,
+	0x62, 0xbb, 0x3a, 0xb9, 0x83, 0x0b, 0x29, 0x76,
+	0x4f, 0xb1, 0x86, 0x2c, 0x27, 0xc7, 0x38, 0x65,
+	0xcb, 0x78, 0xb7, 0x02, 0x10, 0x9e, 0xde, 0x83,
+	0xd1, 0xac, 0x05, 0x86, 0x23, 0xce, 0x4f, 0x8d,
+	0xcc, 0x4e, 0x3f, 0x04, 0xf4, 0x39, 0x91, 0x81,
+	0x1c, 0x42, 0x47, 0x4d, 0x50, 0xe5, 0x01, 0x22,
+	0x98, 0xcf, 0x91, 0x36, 0xb3, 0x7c, 0xcf, 0x78,
+	0x07, 0x22, 0xa9, 0x18, 0xd2, 0xcd, 0x7d, 0x4d,
+	0xa6, 0xcb, 0xaa, 0x52, 0x13, 0x49, 0x64, 0xb0,
+	0xa5, 0x3d, 0xc7, 0xc3, 0x10, 0x87, 0x2e, 0x76,
+	0xa9, 0x52, 0xc5, 0x50, 0x18, 0xc0, 0x5d, 0xb4,
+	0x4c, 0xc6, 0x7f, 0x64, 0xae, 0x53, 0xc3, 0x46,
+	0x99, 0xb7, 0x61, 0x6b, 0x08, 0x43, 0x08, 0x4c,
+	0x90, 0x2c, 0xee, 0x56, 0x91, 0xb4, 0x28, 0xa8,
+	0xa8, 0x8b, 0x3b, 0x1a, 0x67, 0x71, 0xf2, 0x81,
+	0x48, 0x20, 0x71, 0x30, 0xdd, 0x69, 0x8a, 0xc2,
+	0x4c, 0x9d, 0x4e, 0x17, 0xfb, 0x2e, 0xe7, 0x9b,
+	0x86, 0x94, 0xa5, 0xce, 0xf9, 0x74, 0x56, 0xff,
+	0x3b, 0xff, 0xd9, 0x5a, 0xc8, 0x98, 0xf5, 0x25,
+	0xa2, 0xb9, 0x66, 0x46, 0x89, 0x17, 0x39, 0x08,
+	0x69, 0x03, 0x59, 0x1e, 0x13, 0x12, 0x68, 0xe7,
+	0x2f, 0x00, 0xd3, 0xf3, 0x71, 0xd1, 0x20, 0xc5,
+	0x0b, 0x38, 0x89, 0xda, 0x62, 0x3c, 0xce, 0xea,
+	0x04, 0x19, 0x47, 0x6d, 0xd8, 0x64, 0x38, 0x60,
+	0x96, 0x71, 0x68, 0x48, 0x79, 0xf8, 0xf4, 0x76,
+	0x33, 0xf6, 0x60, 0x8d, 0x21, 0xd0, 0xee, 0x41,
+	0xc0, 0xbe, 0x33, 0x61, 0x5e, 0x66, 0xe6, 0x16,
+	0x14, 0xc7, 0xfb, 0x6c, 0xf3, 0x58, 0xef, 0x12,
+	0x7c, 0x70, 0x65, 0x5d, 0x55, 0xe8, 0xf2, 0x92,
+	0x3a, 0xfe, 0x34, 0x64, 0x31, 0x7c, 0x29, 0xbb,
+	0x01, 0x18, 0xbd, 0xb6, 0xe4, 0x1e, 0xa4, 0xf3,
+	0x7b, 0x4c, 0x6a, 0x0d, 0x01, 0xfc, 0xc7, 0x66,
+	0xc3, 0x88, 0x37, 0x25, 0xcf, 0xe9, 0xca, 0x82,
+	0xeb, 0xa1, 0x38, 0x40, 0xc9, 0xdb, 0x38, 0x7b,
+	0x78, 0xcf, 0x11, 0xa3, 0x1c, 0x6b, 0x70, 0xc8,
+	0xe1, 0x2f, 0x7c, 0x17, 0x2c, 0x58, 0x28, 0xa4,
+	0x13, 0x40, 0xc7, 0x69, 0x0f, 0x04, 0xe5, 0x8e,
+	0xf0, 0x67, 0x53, 0xea, 0x10, 0xf5, 0x83, 0xc9,
+	0xcb, 0x6b, 0x16, 0xef, 0x2e, 0x55, 0xb3, 0xdd,
+	0xed, 0xf9, 0x1a, 0x52, 0x9a, 0x73, 0x78, 0x14,
+	0x14, 0x21, 0xfc, 0xef, 0x3c, 0x40, 0xa9, 0xfe,
+	0xef, 0xd7, 0x6e, 0x28, 0x2f, 0xd3, 0x73, 0xed,
+	0xa3, 0x73, 0xb5, 0x62, 0x41, 0xe6, 0xd4, 0x79,
+	0x49, 0x31, 0x2b, 0x86, 0x74, 0x56, 0x21, 0xfe,
+	0x6d, 0xb2, 0xbe, 0x81, 0x80, 0xa6, 0x81, 0x19,
+	0x90, 0x79, 0x6f, 0xc4, 0x4e, 0x7d, 0x6f, 0x2f,
+	0xa8, 0x6f, 0xd5, 0xc4, 0x7e, 0x23, 0x3b, 0xe6,
+	0x9b, 0x60, 0x97, 0x7b, 0xe2, 0x08, 0x8a, 0xaa,
+	0xc7, 0x7c, 0xf6, 0xe5, 0x01, 0x3e, 0xd2, 0x29,
+	0x7d, 0xd7, 0x40, 0x84, 0x95, 0xfa, 0xdf, 0xd8,
+	0x81, 0xe9, 0x5e, 0xdd, 0x0d, 0x17, 0x51, 0x6b,
+	0x8c, 0x0e, 0x47, 0xf9, 0x0c, 0x92, 0x1b, 0x60,
+	0xca, 0x06, 0x8a, 0xe5, 0xe8, 0x0f, 0x06, 0x75,
+	0x5d, 0x76, 0xc9, 0x32, 0x2c, 0x52, 0x2c, 0x2e,
+	0xd8, 0x66, 0x38, 0x75, 0x16, 0xc7, 0x7d, 0x51,
+	0xc4, 0xc2, 0x22, 0xc8, 0x19, 0xfc, 0x3d, 0x69,
+	0x1e, 0xd9, 0x64, 0x47, 0x5d, 0x21, 0x84, 0x46,
+	0xd7, 0xe1, 0xf0, 0x95, 0x3a, 0x8f, 0xbd, 0x7a,
+	0x53, 0x71, 0x4c, 0x54, 0xc1, 0x3e, 0x27, 0xde,
+	0xeb, 0x04, 0x11, 0xb0, 0x33, 0x4d, 0x57, 0x0b,
+	0x6b, 0x7d, 0x6c, 0xd5, 0x87, 0x7e, 0xb4, 0xe2,
+	0x94, 0x9e, 0x9f, 0x74, 0xe8, 0xb7, 0xfa, 0x05,
+	0x9b, 0x8f, 0x81, 0x43, 0x35, 0x82, 0xb8, 0x5b,
+	0xa8, 0x5e, 0xfa, 0x7a, 0x80, 0x8d, 0xd2, 0x90,
+	0x58, 0x79, 0x89, 0x56, 0x90, 0x2b, 0xff, 0x92,
+	0x3c, 0x35, 0xbe, 0x99, 0x5f, 0xd2, 0x4b, 0x15,
+	0x58, 0x4b, 0xbf, 0x08, 0x9b, 0x9b, 0x97, 0x10,
+	0xa4, 0x55, 0xc7, 0xec, 0x29, 0xc5, 0x14, 0x3e,
+	0x8f, 0x56, 0xa3, 0x92, 0x9e, 0x33, 0xcc, 0x9e,
+	0x77, 0x2f, 0x33, 0xcb, 0xc4, 0xe9, 0x19, 0xf4,
+	0x32, 0x2b, 0xef, 0x6c, 0x1c, 0x92, 0x2c, 0x45,
+	0x88, 0x74, 0x5f, 0xcf, 0x56, 0xfd, 0x87, 0x5f,
+	0xb6, 0x9b, 0xa2, 0x51, 0xda, 0x9b, 0x83, 0x4f,
+	0xec, 0x14, 0xe8, 0xd2, 0x42, 0x03, 0xcb, 0xe8,
+	0xd0, 0xb7, 0xf8, 0x38, 0xde, 0x6f, 0xdf, 0x43,
+	0xfa, 0x41, 0xab, 0xec, 0x2e, 0x3c, 0x93, 0x39,
+	0x76, 0xd1, 0x6f, 0x5b, 0x6c, 0x6e, 0x8d, 0xeb,
+	0x45, 0x6b, 0xc5, 0x76, 0x00, 0x29, 0xca, 0x3b,
+	0xdb, 0x78, 0xc2, 0x32, 0x09, 0x39, 0x19, 0x50,
+	0xa2, 0x44, 0x92, 0x09, 0xdb, 0x8b, 0x9e, 0x16,
+	0x76, 0x7f, 0xf1, 0x78, 0x7b, 0xb2, 0x51, 0xbc,
+	0x28, 0xbd, 0xb0, 0x7f, 0x25, 0x63, 0x7d, 0x34,
+	0xfb, 0xf6, 0x36, 0x24, 0xc7, 0xf9, 0x41, 0xb6,
+	0x2a, 0x06, 0xfc, 0xf0, 0x83, 0xf2, 0x12, 0x3d,
+	0x60, 0x2e, 0x10, 0x70, 0x31, 0x6f, 0x37, 0x08,
+	0x3e, 0x91, 0x93, 0xb5, 0xda, 0xb8, 0x4c, 0x1b,
+	0xd8, 0xb8, 0x3b, 0xd5, 0x3e, 0xb6, 0xc0, 0xbb,
+	0x38, 0x0f, 0xd2, 0x68, 0x4f, 0x78, 0x56, 0xf6,
+	0xda, 0x65, 0xb4, 0x0b, 0xb4, 0xaf, 0xa8, 0x19,
+	0x2f, 0x70, 0x55, 0xe0, 0x47, 0x31, 0x9f, 0x37,
+	0x1a, 0x47, 0xb9, 0x0c, 0x97, 0x79, 0xfc, 0xa9,
+	0x76, 0xe6, 0xfa, 0x38, 0x67, 0x25, 0xd3, 0x89,
+	0x8d, 0xad, 0xc6, 0x11, 0x2d, 0x77, 0x0b, 0x35,
+	0xa2, 0xe2, 0xdf, 0xc8, 0x94, 0xd5, 0xdf, 0xd2,
+	0x69, 0x2a, 0x99, 0x93, 0xfa, 0x4a, 0x5f, 0xc7,
+	0x8a, 0x14, 0x5f, 0x2a, 0xf3, 0x02, 0xf0, 0x3e,
+	0x21, 0x8e, 0x2e, 0x4b, 0xc4, 0xd2, 0xc8, 0xa6,
+	0x41, 0x6e, 0x17, 0x36, 0xe9, 0xad, 0x73, 0x33,
+	0x6c, 0xea, 0xc2, 0x31, 0x8f, 0x30, 0x51, 0x5c,
+	0x1c, 0x20, 0xe6, 0x05, 0x1a, 0x17, 0x15, 0x5d,
+	0x3e, 0x8f, 0xd2, 0x7f, 0xa1, 0xc5, 0x47, 0xb3,
+	0xb2, 0x9c, 0xe8, 0xf0, 0x6d, 0xc1, 0xc3, 0xa2,
+};
+
+static const u8 nh_test_val16[NH_HASH_BYTES] = {
+	0x30, 0x77, 0x55, 0x7c, 0x45, 0xd8, 0xce, 0xf7,
+	0x2a, 0xb5, 0x14, 0x8c, 0x35, 0x7e, 0xaa, 0x00,
+	0x50, 0xbc, 0x50, 0x7c, 0xd3, 0x20, 0x7c, 0x9c,
+	0xb4, 0xf1, 0x91, 0x26, 0x81, 0x03, 0xa5, 0x68,
+};
+
+static const u8 nh_test_val96[NH_HASH_BYTES] = {
+	0xd2, 0x19, 0xca, 0xa5, 0x6c, 0x0c, 0xdf, 0x2f,
+	0x69, 0xfa, 0x75, 0xc1, 0x63, 0xdb, 0xfa, 0x4d,
+	0x45, 0x2b, 0xb8, 0xdb, 0xac, 0xee, 0x61, 0xc6,
+	0x7a, 0x83, 0xb6, 0x0f, 0x32, 0x82, 0xe4, 0xd0,
+};
+
+static const u8 nh_test_val256[NH_HASH_BYTES] = {
+	0x33, 0x8f, 0xb4, 0x96, 0xf1, 0xb6, 0xf1, 0xb5,
+	0x05, 0x19, 0xbb, 0x6b, 0xda, 0xd9, 0x95, 0x75,
+	0x96, 0x3f, 0x8b, 0x42, 0xb6, 0xcd, 0xb7, 0xb7,
+	0xe7, 0x97, 0xb5, 0xa9, 0x0b, 0xd7, 0xdd, 0x33,
+};
+
+static const u8 nh_test_val1024[NH_HASH_BYTES] = {
+	0x32, 0x3d, 0x51, 0xe1, 0x77, 0xb6, 0xac, 0x06,
+	0x84, 0x67, 0xb7, 0xf2, 0x24, 0xe7, 0xec, 0xfd,
+	0x96, 0x64, 0xff, 0x55, 0xc7, 0x1b, 0xf9, 0xdc,
+	0xa3, 0xc7, 0x32, 0x06, 0x79, 0xcf, 0xca, 0xb6,
+};
diff --git a/lib/crypto/tests/nh_kunit.c b/lib/crypto/tests/nh_kunit.c
new file mode 100644
index 000000000000..a8a3c3f345cb
--- /dev/null
+++ b/lib/crypto/tests/nh_kunit.c
@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright 2025 Google LLC
+ */
+#include <crypto/nh.h>
+#include <kunit/test.h>
+#include "nh-testvecs.h"
+
+static void test_nh(struct kunit *test)
+{
+	u32 *key = kunit_kmalloc(test, NH_KEY_BYTES, GFP_KERNEL);
+	__le64 hash[NH_NUM_PASSES];
+
+	KUNIT_ASSERT_NOT_NULL(test, key);
+	memcpy(key, nh_test_key, NH_KEY_BYTES);
+	le32_to_cpu_array(key, NH_KEY_WORDS);
+
+	nh(key, nh_test_msg, 16, hash);
+	KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val16, NH_HASH_BYTES);
+
+	nh(key, nh_test_msg, 96, hash);
+	KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val96, NH_HASH_BYTES);
+
+	nh(key, nh_test_msg, 256, hash);
+	KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val256, NH_HASH_BYTES);
+
+	nh(key, nh_test_msg, 1024, hash);
+	KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val1024, NH_HASH_BYTES);
+}
+
+static struct kunit_case nh_test_cases[] = {
+	KUNIT_CASE(test_nh),
+	{},
+};
+
+static struct kunit_suite nh_test_suite = {
+	.name = "nh",
+	.test_cases = nh_test_cases,
+};
+kunit_test_suite(nh_test_suite);
+
+MODULE_DESCRIPTION("KUnit tests for NH");
+MODULE_LICENSE("GPL");
diff --git a/scripts/crypto/gen-hash-testvecs.py b/scripts/crypto/gen-hash-testvecs.py
index c1d0517140bd..1e20ecb46314 100755
--- a/scripts/crypto/gen-hash-testvecs.py
+++ b/scripts/crypto/gen-hash-testvecs.py
@@ -182,10 +182,48 @@ def gen_additional_blake2_testvecs(alg):
             hashes += h.digest()
     print_static_u8_array_definition(
             f'{alg}_keyed_testvec_consolidated[{alg_digest_size_const(alg)}]',
             compute_hash(alg, hashes))
 
+def nh_extract_int(bytestr, pos, length):
+    assert pos % 8 == 0 and length % 8 == 0
+    return int.from_bytes(bytestr[pos//8 : pos//8 + length//8], byteorder='little')
+
+# The NH "almost-universal hash function" used in Adiantum.  This is a
+# straightforward translation of the pseudocode from Section 6.3 of the Adiantum
+# paper (https://eprint.iacr.org/2018/720.pdf), except the outer loop is omitted
+# because we assume len(msg) <= 1024.  (The kernel's nh() function is only
+# expected to handle up to 1024 bytes; it's just called repeatedly as needed.)
+def nh(key, msg):
+    (w, s, r, u) = (32, 2, 4, 8192)
+    l = 8 * len(msg)
+    assert l <= u
+    assert l % (2*s*w) == 0
+    h = bytes()
+    for i in range(0, 2*s*w*r, 2*s*w):
+        p = 0
+        for j in range(0, l, 2*s*w):
+            for k in range(0, w*s, w):
+                a0 = nh_extract_int(key, i + j + k, w)
+                a1 = nh_extract_int(key, i + j + k + s*w, w)
+                b0 = nh_extract_int(msg, j + k, w)
+                b1 = nh_extract_int(msg, j + k + s*w, w)
+                p += ((a0 + b0) % 2**w) * ((a1 + b1) % 2**w)
+        h += (p % 2**64).to_bytes(8, byteorder='little')
+    return h
+
+def gen_nh_testvecs():
+    NH_KEY_BYTES = 1072
+    NH_MESSAGE_BYTES = 1024
+    key = rand_bytes(NH_KEY_BYTES)
+    msg = rand_bytes(NH_MESSAGE_BYTES)
+    print_static_u8_array_definition('nh_test_key[NH_KEY_BYTES]', key)
+    print_static_u8_array_definition('nh_test_msg[NH_MESSAGE_BYTES]', msg)
+    for length in [16, 96, 256, 1024]:
+        print_static_u8_array_definition(f'nh_test_val{length}[NH_HASH_BYTES]',
+                                         nh(key, msg[:length]))
+
 def gen_additional_poly1305_testvecs():
     key = b'\xff' * POLY1305_KEY_SIZE
     data = b''
     ctx = Poly1305(key)
     for _ in range(32):
@@ -215,10 +253,12 @@ alg = sys.argv[1]
 print('/* SPDX-License-Identifier: GPL-2.0-or-later */')
 print(f'/* This file was generated by: {sys.argv[0]} {" ".join(sys.argv[1:])} */')
 if alg.startswith('blake2'):
     gen_unkeyed_testvecs(alg)
     gen_additional_blake2_testvecs(alg)
+elif alg == 'nh':
+    gen_nh_testvecs()
 elif alg == 'poly1305':
     gen_unkeyed_testvecs(alg)
     gen_additional_poly1305_testvecs()
 elif alg == 'polyval':
     gen_unkeyed_testvecs(alg)
-- 
2.52.0

[PATCH 03/12] lib/crypto: arm/nh: Migrate optimized code into library

[Eric Biggers]

Migrate the arm32 NEON implementation of NH into lib/crypto/.  This
makes the nh() function be optimized on arm32 kernels.

Note: this temporarily makes the adiantum template not utilize the arm32
optimized NH code.  This is resolved in a later commit that converts the
adiantum template to use nh() instead of "nhpoly1305".

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 arch/arm/crypto/Kconfig                       | 10 ---
 arch/arm/crypto/Makefile                      |  2 -
 arch/arm/crypto/nhpoly1305-neon-glue.c        | 80 -------------------
 lib/crypto/Kconfig                            |  1 +
 lib/crypto/Makefile                           |  1 +
 .../crypto => lib/crypto/arm}/nh-neon-core.S  |  0
 lib/crypto/arm/nh.h                           | 33 ++++++++
 7 files changed, 35 insertions(+), 92 deletions(-)
 delete mode 100644 arch/arm/crypto/nhpoly1305-neon-glue.c
 rename {arch/arm/crypto => lib/crypto/arm}/nh-neon-core.S (100%)
 create mode 100644 lib/crypto/arm/nh.h

diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig
index f30d743df264..3eb5071bea14 100644
--- a/arch/arm/crypto/Kconfig
+++ b/arch/arm/crypto/Kconfig
@@ -21,20 +21,10 @@ config CRYPTO_GHASH_ARM_CE
 	  Use an implementation of GHASH (used by the GCM AEAD chaining mode)
 	  that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64)
 	  that is part of the ARMv8 Crypto Extensions, or a slower variant that
 	  uses the vmull.p8 instruction that is part of the basic NEON ISA.
 
-config CRYPTO_NHPOLY1305_NEON
-	tristate "Hash functions: NHPoly1305 (NEON)"
-	depends on KERNEL_MODE_NEON
-	select CRYPTO_NHPOLY1305
-	help
-	  NHPoly1305 hash function (Adiantum)
-
-	  Architecture: arm using:
-	  - NEON (Advanced SIMD) extensions
-
 config CRYPTO_AES_ARM
 	tristate "Ciphers: AES"
 	select CRYPTO_ALGAPI
 	select CRYPTO_AES
 	help
diff --git a/arch/arm/crypto/Makefile b/arch/arm/crypto/Makefile
index 86dd43313dbf..d6683e9d4992 100644
--- a/arch/arm/crypto/Makefile
+++ b/arch/arm/crypto/Makefile
@@ -3,15 +3,13 @@
 # Arch-specific CryptoAPI modules.
 #
 
 obj-$(CONFIG_CRYPTO_AES_ARM) += aes-arm.o
 obj-$(CONFIG_CRYPTO_AES_ARM_BS) += aes-arm-bs.o
-obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o
 
 obj-$(CONFIG_CRYPTO_AES_ARM_CE) += aes-arm-ce.o
 obj-$(CONFIG_CRYPTO_GHASH_ARM_CE) += ghash-arm-ce.o
 
 aes-arm-y	:= aes-cipher-core.o aes-cipher-glue.o
 aes-arm-bs-y	:= aes-neonbs-core.o aes-neonbs-glue.o
 aes-arm-ce-y	:= aes-ce-core.o aes-ce-glue.o
 ghash-arm-ce-y	:= ghash-ce-core.o ghash-ce-glue.o
-nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o
diff --git a/arch/arm/crypto/nhpoly1305-neon-glue.c b/arch/arm/crypto/nhpoly1305-neon-glue.c
deleted file mode 100644
index 62cf7ccdde73..000000000000
--- a/arch/arm/crypto/nhpoly1305-neon-glue.c
+++ /dev/null
@@ -1,80 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum
- * (NEON accelerated version)
- *
- * Copyright 2018 Google LLC
- */
-
-#include <asm/neon.h>
-#include <asm/simd.h>
-#include <crypto/internal/hash.h>
-#include <crypto/internal/simd.h>
-#include <crypto/nhpoly1305.h>
-#include <linux/module.h>
-
-asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_len,
-			__le64 hash[NH_NUM_PASSES]);
-
-static int nhpoly1305_neon_update(struct shash_desc *desc,
-				  const u8 *src, unsigned int srclen)
-{
-	if (srclen < 64 || !crypto_simd_usable())
-		return crypto_nhpoly1305_update(desc, src, srclen);
-
-	do {
-		unsigned int n = min_t(unsigned int, srclen, SZ_4K);
-
-		kernel_neon_begin();
-		crypto_nhpoly1305_update_helper(desc, src, n, nh_neon);
-		kernel_neon_end();
-		src += n;
-		srclen -= n;
-	} while (srclen);
-	return 0;
-}
-
-static int nhpoly1305_neon_digest(struct shash_desc *desc,
-				  const u8 *src, unsigned int srclen, u8 *out)
-{
-	return crypto_nhpoly1305_init(desc) ?:
-	       nhpoly1305_neon_update(desc, src, srclen) ?:
-	       crypto_nhpoly1305_final(desc, out);
-}
-
-static struct shash_alg nhpoly1305_alg = {
-	.base.cra_name		= "nhpoly1305",
-	.base.cra_driver_name	= "nhpoly1305-neon",
-	.base.cra_priority	= 200,
-	.base.cra_ctxsize	= sizeof(struct nhpoly1305_key),
-	.base.cra_module	= THIS_MODULE,
-	.digestsize		= POLY1305_DIGEST_SIZE,
-	.init			= crypto_nhpoly1305_init,
-	.update			= nhpoly1305_neon_update,
-	.final			= crypto_nhpoly1305_final,
-	.digest			= nhpoly1305_neon_digest,
-	.setkey			= crypto_nhpoly1305_setkey,
-	.descsize		= sizeof(struct nhpoly1305_state),
-};
-
-static int __init nhpoly1305_mod_init(void)
-{
-	if (!(elf_hwcap & HWCAP_NEON))
-		return -ENODEV;
-
-	return crypto_register_shash(&nhpoly1305_alg);
-}
-
-static void __exit nhpoly1305_mod_exit(void)
-{
-	crypto_unregister_shash(&nhpoly1305_alg);
-}
-
-module_init(nhpoly1305_mod_init);
-module_exit(nhpoly1305_mod_exit);
-
-MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function (NEON-accelerated)");
-MODULE_LICENSE("GPL v2");
-MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");
-MODULE_ALIAS_CRYPTO("nhpoly1305");
-MODULE_ALIAS_CRYPTO("nhpoly1305-neon");
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index f14c9f5974d8..c6ee7ca77632 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -115,10 +115,11 @@ config CRYPTO_LIB_NH
 	  the variant of NH used in Adiantum.
 
 config CRYPTO_LIB_NH_ARCH
 	bool
 	depends on CRYPTO_LIB_NH && !UML
+	default y if ARM && KERNEL_MODE_NEON
 
 config CRYPTO_LIB_POLY1305
 	tristate
 	help
 	  The Poly1305 library functions.  Select this if your module uses any
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 929b84568809..6dae7e182847 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -133,10 +133,11 @@ libmldsa-y := mldsa.o
 
 obj-$(CONFIG_CRYPTO_LIB_NH) += libnh.o
 libnh-y := nh.o
 ifeq ($(CONFIG_CRYPTO_LIB_NH_ARCH),y)
 CFLAGS_nh.o += -I$(src)/$(SRCARCH)
+libnh-$(CONFIG_ARM) += arm/nh-neon-core.o
 endif
 
 ################################################################################
 
 obj-$(CONFIG_CRYPTO_LIB_POLY1305) += libpoly1305.o
diff --git a/arch/arm/crypto/nh-neon-core.S b/lib/crypto/arm/nh-neon-core.S
similarity index 100%
rename from arch/arm/crypto/nh-neon-core.S
rename to lib/crypto/arm/nh-neon-core.S
diff --git a/lib/crypto/arm/nh.h b/lib/crypto/arm/nh.h
new file mode 100644
index 000000000000..c9f39d819336
--- /dev/null
+++ b/lib/crypto/arm/nh.h
@@ -0,0 +1,33 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * ARM32 accelerated implementation of NH
+ *
+ * Copyright 2018 Google LLC
+ */
+
+#include <asm/neon.h>
+#include <asm/simd.h>
+
+static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
+
+asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_len,
+			__le64 hash[NH_NUM_PASSES]);
+
+static bool nh_arch(const u32 *key, const u8 *message, size_t message_len,
+		    __le64 hash[NH_NUM_PASSES])
+{
+	if (static_branch_likely(&have_neon) && message_len >= 64 &&
+	    may_use_simd()) {
+		scoped_ksimd()
+			nh_neon(key, message, message_len, hash);
+		return true;
+	}
+	return false;
+}
+
+#define nh_mod_init_arch nh_mod_init_arch
+static void nh_mod_init_arch(void)
+{
+	if (elf_hwcap & HWCAP_NEON)
+		static_branch_enable(&have_neon);
+}
-- 
2.52.0

[PATCH 04/12] lib/crypto: arm64/nh: Migrate optimized code into library

[Eric Biggers]

Migrate the arm64 NEON implementation of NH into lib/crypto/.  This
makes the nh() function be optimized on arm64 kernels.

Note: this temporarily makes the adiantum template not utilize the arm64
optimized NH code.  This is resolved in a later commit that converts the
adiantum template to use nh() instead of "nhpoly1305".

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 arch/arm64/crypto/Kconfig                     | 10 ---
 arch/arm64/crypto/Makefile                    |  3 -
 arch/arm64/crypto/nhpoly1305-neon-glue.c      | 79 -------------------
 lib/crypto/Kconfig                            |  1 +
 lib/crypto/Makefile                           |  1 +
 .../crypto/arm64}/nh-neon-core.S              |  3 +-
 lib/crypto/arm64/nh.h                         | 34 ++++++++
 7 files changed, 37 insertions(+), 94 deletions(-)
 delete mode 100644 arch/arm64/crypto/nhpoly1305-neon-glue.c
 rename {arch/arm64/crypto => lib/crypto/arm64}/nh-neon-core.S (97%)
 create mode 100644 lib/crypto/arm64/nh.h

diff --git a/arch/arm64/crypto/Kconfig b/arch/arm64/crypto/Kconfig
index bdd276a6e540..da1c9ea8ea83 100644
--- a/arch/arm64/crypto/Kconfig
+++ b/arch/arm64/crypto/Kconfig
@@ -13,20 +13,10 @@ config CRYPTO_GHASH_ARM64_CE
 	  GCM GHASH function (NIST SP800-38D)
 
 	  Architecture: arm64 using:
 	  - ARMv8 Crypto Extensions
 
-config CRYPTO_NHPOLY1305_NEON
-	tristate "Hash functions: NHPoly1305 (NEON)"
-	depends on KERNEL_MODE_NEON
-	select CRYPTO_NHPOLY1305
-	help
-	  NHPoly1305 hash function (Adiantum)
-
-	  Architecture: arm64 using:
-	  - NEON (Advanced SIMD) extensions
-
 config CRYPTO_SM3_NEON
 	tristate "Hash functions: SM3 (NEON)"
 	depends on KERNEL_MODE_NEON
 	select CRYPTO_HASH
 	select CRYPTO_LIB_SM3
diff --git a/arch/arm64/crypto/Makefile b/arch/arm64/crypto/Makefile
index 1e330aa08d3f..3ab4b58e5c4c 100644
--- a/arch/arm64/crypto/Makefile
+++ b/arch/arm64/crypto/Makefile
@@ -39,13 +39,10 @@ obj-$(CONFIG_CRYPTO_AES_ARM64_CE_BLK) += aes-ce-blk.o
 aes-ce-blk-y := aes-glue-ce.o aes-ce.o
 
 obj-$(CONFIG_CRYPTO_AES_ARM64_NEON_BLK) += aes-neon-blk.o
 aes-neon-blk-y := aes-glue-neon.o aes-neon.o
 
-obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o
-nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o
-
 obj-$(CONFIG_CRYPTO_AES_ARM64) += aes-arm64.o
 aes-arm64-y := aes-cipher-core.o aes-cipher-glue.o
 
 obj-$(CONFIG_CRYPTO_AES_ARM64_BS) += aes-neon-bs.o
 aes-neon-bs-y := aes-neonbs-core.o aes-neonbs-glue.o
diff --git a/arch/arm64/crypto/nhpoly1305-neon-glue.c b/arch/arm64/crypto/nhpoly1305-neon-glue.c
deleted file mode 100644
index 013de6ac569a..000000000000
--- a/arch/arm64/crypto/nhpoly1305-neon-glue.c
+++ /dev/null
@@ -1,79 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum
- * (ARM64 NEON accelerated version)
- *
- * Copyright 2018 Google LLC
- */
-
-#include <asm/neon.h>
-#include <asm/simd.h>
-#include <crypto/internal/hash.h>
-#include <crypto/internal/simd.h>
-#include <crypto/nhpoly1305.h>
-#include <linux/module.h>
-
-asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_len,
-			__le64 hash[NH_NUM_PASSES]);
-
-static int nhpoly1305_neon_update(struct shash_desc *desc,
-				  const u8 *src, unsigned int srclen)
-{
-	if (srclen < 64 || !crypto_simd_usable())
-		return crypto_nhpoly1305_update(desc, src, srclen);
-
-	do {
-		unsigned int n = min_t(unsigned int, srclen, SZ_4K);
-
-		scoped_ksimd()
-			crypto_nhpoly1305_update_helper(desc, src, n, nh_neon);
-		src += n;
-		srclen -= n;
-	} while (srclen);
-	return 0;
-}
-
-static int nhpoly1305_neon_digest(struct shash_desc *desc,
-				  const u8 *src, unsigned int srclen, u8 *out)
-{
-	return crypto_nhpoly1305_init(desc) ?:
-	       nhpoly1305_neon_update(desc, src, srclen) ?:
-	       crypto_nhpoly1305_final(desc, out);
-}
-
-static struct shash_alg nhpoly1305_alg = {
-	.base.cra_name		= "nhpoly1305",
-	.base.cra_driver_name	= "nhpoly1305-neon",
-	.base.cra_priority	= 200,
-	.base.cra_ctxsize	= sizeof(struct nhpoly1305_key),
-	.base.cra_module	= THIS_MODULE,
-	.digestsize		= POLY1305_DIGEST_SIZE,
-	.init			= crypto_nhpoly1305_init,
-	.update			= nhpoly1305_neon_update,
-	.final			= crypto_nhpoly1305_final,
-	.digest			= nhpoly1305_neon_digest,
-	.setkey			= crypto_nhpoly1305_setkey,
-	.descsize		= sizeof(struct nhpoly1305_state),
-};
-
-static int __init nhpoly1305_mod_init(void)
-{
-	if (!cpu_have_named_feature(ASIMD))
-		return -ENODEV;
-
-	return crypto_register_shash(&nhpoly1305_alg);
-}
-
-static void __exit nhpoly1305_mod_exit(void)
-{
-	crypto_unregister_shash(&nhpoly1305_alg);
-}
-
-module_init(nhpoly1305_mod_init);
-module_exit(nhpoly1305_mod_exit);
-
-MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function (NEON-accelerated)");
-MODULE_LICENSE("GPL v2");
-MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");
-MODULE_ALIAS_CRYPTO("nhpoly1305");
-MODULE_ALIAS_CRYPTO("nhpoly1305-neon");
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index c6ee7ca77632..aa3f850ece24 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -116,10 +116,11 @@ config CRYPTO_LIB_NH
 
 config CRYPTO_LIB_NH_ARCH
 	bool
 	depends on CRYPTO_LIB_NH && !UML
 	default y if ARM && KERNEL_MODE_NEON
+	default y if ARM64 && KERNEL_MODE_NEON
 
 config CRYPTO_LIB_POLY1305
 	tristate
 	help
 	  The Poly1305 library functions.  Select this if your module uses any
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 6dae7e182847..e3a13952bc2a 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -134,10 +134,11 @@ libmldsa-y := mldsa.o
 obj-$(CONFIG_CRYPTO_LIB_NH) += libnh.o
 libnh-y := nh.o
 ifeq ($(CONFIG_CRYPTO_LIB_NH_ARCH),y)
 CFLAGS_nh.o += -I$(src)/$(SRCARCH)
 libnh-$(CONFIG_ARM) += arm/nh-neon-core.o
+libnh-$(CONFIG_ARM64) += arm64/nh-neon-core.o
 endif
 
 ################################################################################
 
 obj-$(CONFIG_CRYPTO_LIB_POLY1305) += libpoly1305.o
diff --git a/arch/arm64/crypto/nh-neon-core.S b/lib/crypto/arm64/nh-neon-core.S
similarity index 97%
rename from arch/arm64/crypto/nh-neon-core.S
rename to lib/crypto/arm64/nh-neon-core.S
index 13eda08fda1e..6fa57fce8085 100644
--- a/arch/arm64/crypto/nh-neon-core.S
+++ b/lib/crypto/arm64/nh-neon-core.S
@@ -6,11 +6,10 @@
  *
  * Author: Eric Biggers <ebiggers@google.com>
  */
 
 #include <linux/linkage.h>
-#include <linux/cfi_types.h>
 
 	KEY		.req	x0
 	MESSAGE		.req	x1
 	MESSAGE_LEN	.req	x2
 	HASH		.req	x3
@@ -61,11 +60,11 @@
  * void nh_neon(const u32 *key, const u8 *message, size_t message_len,
  *		__le64 hash[NH_NUM_PASSES])
  *
  * It's guaranteed that message_len % 16 == 0.
  */
-SYM_TYPED_FUNC_START(nh_neon)
+SYM_FUNC_START(nh_neon)
 
 	ld1		{K0.4s,K1.4s}, [KEY], #32
 	  movi		PASS0_SUMS.2d, #0
 	  movi		PASS1_SUMS.2d, #0
 	ld1		{K2.4s}, [KEY], #16
diff --git a/lib/crypto/arm64/nh.h b/lib/crypto/arm64/nh.h
new file mode 100644
index 000000000000..08902630bdd1
--- /dev/null
+++ b/lib/crypto/arm64/nh.h
@@ -0,0 +1,34 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * ARM64 accelerated implementation of NH
+ *
+ * Copyright 2018 Google LLC
+ */
+
+#include <asm/hwcap.h>
+#include <asm/simd.h>
+#include <linux/cpufeature.h>
+
+static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
+
+asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_len,
+			__le64 hash[NH_NUM_PASSES]);
+
+static bool nh_arch(const u32 *key, const u8 *message, size_t message_len,
+		    __le64 hash[NH_NUM_PASSES])
+{
+	if (static_branch_likely(&have_neon) && message_len >= 64 &&
+	    may_use_simd()) {
+		scoped_ksimd()
+			nh_neon(key, message, message_len, hash);
+		return true;
+	}
+	return false;
+}
+
+#define nh_mod_init_arch nh_mod_init_arch
+static void nh_mod_init_arch(void)
+{
+	if (cpu_have_named_feature(ASIMD))
+		static_branch_enable(&have_neon);
+}
-- 
2.52.0

[PATCH 05/12] lib/crypto: x86/nh: Migrate optimized code into library

[Eric Biggers]

Migrate the x86_64 implementations of NH into lib/crypto/.  This makes
the nh() function be optimized on x86_64 kernels.

Note: this temporarily makes the adiantum template not utilize the
x86_64 optimized NH code.  This is resolved in a later commit that
converts the adiantum template to use nh() instead of "nhpoly1305".

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 arch/x86/crypto/Kconfig                       | 20 -----
 arch/x86/crypto/Makefile                      |  5 --
 arch/x86/crypto/nhpoly1305-avx2-glue.c        | 81 -------------------
 arch/x86/crypto/nhpoly1305-sse2-glue.c        | 80 ------------------
 lib/crypto/Kconfig                            |  1 +
 lib/crypto/Makefile                           |  1 +
 .../crypto/x86/nh-avx2.S                      |  3 +-
 .../crypto/x86/nh-sse2.S                      |  3 +-
 lib/crypto/x86/nh.h                           | 45 +++++++++++
 9 files changed, 49 insertions(+), 190 deletions(-)
 delete mode 100644 arch/x86/crypto/nhpoly1305-avx2-glue.c
 delete mode 100644 arch/x86/crypto/nhpoly1305-sse2-glue.c
 rename arch/x86/crypto/nh-avx2-x86_64.S => lib/crypto/x86/nh-avx2.S (98%)
 rename arch/x86/crypto/nh-sse2-x86_64.S => lib/crypto/x86/nh-sse2.S (97%)
 create mode 100644 lib/crypto/x86/nh.h

diff --git a/arch/x86/crypto/Kconfig b/arch/x86/crypto/Kconfig
index 3fd2423d3cf8..ebb0838eaf30 100644
--- a/arch/x86/crypto/Kconfig
+++ b/arch/x86/crypto/Kconfig
@@ -331,30 +331,10 @@ config CRYPTO_AEGIS128_AESNI_SSE2
 
 	  Architecture: x86_64 using:
 	  - AES-NI (AES New Instructions)
 	  - SSE4.1 (Streaming SIMD Extensions 4.1)
 
-config CRYPTO_NHPOLY1305_SSE2
-	tristate "Hash functions: NHPoly1305 (SSE2)"
-	depends on 64BIT
-	select CRYPTO_NHPOLY1305
-	help
-	  NHPoly1305 hash function for Adiantum
-
-	  Architecture: x86_64 using:
-	  - SSE2 (Streaming SIMD Extensions 2)
-
-config CRYPTO_NHPOLY1305_AVX2
-	tristate "Hash functions: NHPoly1305 (AVX2)"
-	depends on 64BIT
-	select CRYPTO_NHPOLY1305
-	help
-	  NHPoly1305 hash function for Adiantum
-
-	  Architecture: x86_64 using:
-	  - AVX2 (Advanced Vector Extensions 2)
-
 config CRYPTO_SM3_AVX_X86_64
 	tristate "Hash functions: SM3 (AVX)"
 	depends on 64BIT
 	select CRYPTO_HASH
 	select CRYPTO_LIB_SM3
diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile
index 5f2fb4f148fe..b21ad0978c52 100644
--- a/arch/x86/crypto/Makefile
+++ b/arch/x86/crypto/Makefile
@@ -51,15 +51,10 @@ aesni-intel-$(CONFIG_64BIT) += aes-ctr-avx-x86_64.o \
 			       aes-xts-avx-x86_64.o
 
 obj-$(CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL) += ghash-clmulni-intel.o
 ghash-clmulni-intel-y := ghash-clmulni-intel_asm.o ghash-clmulni-intel_glue.o
 
-obj-$(CONFIG_CRYPTO_NHPOLY1305_SSE2) += nhpoly1305-sse2.o
-nhpoly1305-sse2-y := nh-sse2-x86_64.o nhpoly1305-sse2-glue.o
-obj-$(CONFIG_CRYPTO_NHPOLY1305_AVX2) += nhpoly1305-avx2.o
-nhpoly1305-avx2-y := nh-avx2-x86_64.o nhpoly1305-avx2-glue.o
-
 obj-$(CONFIG_CRYPTO_SM3_AVX_X86_64) += sm3-avx-x86_64.o
 sm3-avx-x86_64-y := sm3-avx-asm_64.o sm3_avx_glue.o
 
 obj-$(CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64) += sm4-aesni-avx-x86_64.o
 sm4-aesni-avx-x86_64-y := sm4-aesni-avx-asm_64.o sm4_aesni_avx_glue.o
diff --git a/arch/x86/crypto/nhpoly1305-avx2-glue.c b/arch/x86/crypto/nhpoly1305-avx2-glue.c
deleted file mode 100644
index c3a872f4d6a7..000000000000
--- a/arch/x86/crypto/nhpoly1305-avx2-glue.c
+++ /dev/null
@@ -1,81 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum
- * (AVX2 accelerated version)
- *
- * Copyright 2018 Google LLC
- */
-
-#include <crypto/internal/hash.h>
-#include <crypto/internal/simd.h>
-#include <crypto/nhpoly1305.h>
-#include <linux/module.h>
-#include <linux/sizes.h>
-#include <asm/simd.h>
-
-asmlinkage void nh_avx2(const u32 *key, const u8 *message, size_t message_len,
-			__le64 hash[NH_NUM_PASSES]);
-
-static int nhpoly1305_avx2_update(struct shash_desc *desc,
-				  const u8 *src, unsigned int srclen)
-{
-	if (srclen < 64 || !crypto_simd_usable())
-		return crypto_nhpoly1305_update(desc, src, srclen);
-
-	do {
-		unsigned int n = min_t(unsigned int, srclen, SZ_4K);
-
-		kernel_fpu_begin();
-		crypto_nhpoly1305_update_helper(desc, src, n, nh_avx2);
-		kernel_fpu_end();
-		src += n;
-		srclen -= n;
-	} while (srclen);
-	return 0;
-}
-
-static int nhpoly1305_avx2_digest(struct shash_desc *desc,
-				  const u8 *src, unsigned int srclen, u8 *out)
-{
-	return crypto_nhpoly1305_init(desc) ?:
-	       nhpoly1305_avx2_update(desc, src, srclen) ?:
-	       crypto_nhpoly1305_final(desc, out);
-}
-
-static struct shash_alg nhpoly1305_alg = {
-	.base.cra_name		= "nhpoly1305",
-	.base.cra_driver_name	= "nhpoly1305-avx2",
-	.base.cra_priority	= 300,
-	.base.cra_ctxsize	= sizeof(struct nhpoly1305_key),
-	.base.cra_module	= THIS_MODULE,
-	.digestsize		= POLY1305_DIGEST_SIZE,
-	.init			= crypto_nhpoly1305_init,
-	.update			= nhpoly1305_avx2_update,
-	.final			= crypto_nhpoly1305_final,
-	.digest			= nhpoly1305_avx2_digest,
-	.setkey			= crypto_nhpoly1305_setkey,
-	.descsize		= sizeof(struct nhpoly1305_state),
-};
-
-static int __init nhpoly1305_mod_init(void)
-{
-	if (!boot_cpu_has(X86_FEATURE_AVX2) ||
-	    !boot_cpu_has(X86_FEATURE_OSXSAVE))
-		return -ENODEV;
-
-	return crypto_register_shash(&nhpoly1305_alg);
-}
-
-static void __exit nhpoly1305_mod_exit(void)
-{
-	crypto_unregister_shash(&nhpoly1305_alg);
-}
-
-module_init(nhpoly1305_mod_init);
-module_exit(nhpoly1305_mod_exit);
-
-MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function (AVX2-accelerated)");
-MODULE_LICENSE("GPL v2");
-MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");
-MODULE_ALIAS_CRYPTO("nhpoly1305");
-MODULE_ALIAS_CRYPTO("nhpoly1305-avx2");
diff --git a/arch/x86/crypto/nhpoly1305-sse2-glue.c b/arch/x86/crypto/nhpoly1305-sse2-glue.c
deleted file mode 100644
index a268a8439a5c..000000000000
--- a/arch/x86/crypto/nhpoly1305-sse2-glue.c
+++ /dev/null
@@ -1,80 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum
- * (SSE2 accelerated version)
- *
- * Copyright 2018 Google LLC
- */
-
-#include <crypto/internal/hash.h>
-#include <crypto/internal/simd.h>
-#include <crypto/nhpoly1305.h>
-#include <linux/module.h>
-#include <linux/sizes.h>
-#include <asm/simd.h>
-
-asmlinkage void nh_sse2(const u32 *key, const u8 *message, size_t message_len,
-			__le64 hash[NH_NUM_PASSES]);
-
-static int nhpoly1305_sse2_update(struct shash_desc *desc,
-				  const u8 *src, unsigned int srclen)
-{
-	if (srclen < 64 || !crypto_simd_usable())
-		return crypto_nhpoly1305_update(desc, src, srclen);
-
-	do {
-		unsigned int n = min_t(unsigned int, srclen, SZ_4K);
-
-		kernel_fpu_begin();
-		crypto_nhpoly1305_update_helper(desc, src, n, nh_sse2);
-		kernel_fpu_end();
-		src += n;
-		srclen -= n;
-	} while (srclen);
-	return 0;
-}
-
-static int nhpoly1305_sse2_digest(struct shash_desc *desc,
-				  const u8 *src, unsigned int srclen, u8 *out)
-{
-	return crypto_nhpoly1305_init(desc) ?:
-	       nhpoly1305_sse2_update(desc, src, srclen) ?:
-	       crypto_nhpoly1305_final(desc, out);
-}
-
-static struct shash_alg nhpoly1305_alg = {
-	.base.cra_name		= "nhpoly1305",
-	.base.cra_driver_name	= "nhpoly1305-sse2",
-	.base.cra_priority	= 200,
-	.base.cra_ctxsize	= sizeof(struct nhpoly1305_key),
-	.base.cra_module	= THIS_MODULE,
-	.digestsize		= POLY1305_DIGEST_SIZE,
-	.init			= crypto_nhpoly1305_init,
-	.update			= nhpoly1305_sse2_update,
-	.final			= crypto_nhpoly1305_final,
-	.digest			= nhpoly1305_sse2_digest,
-	.setkey			= crypto_nhpoly1305_setkey,
-	.descsize		= sizeof(struct nhpoly1305_state),
-};
-
-static int __init nhpoly1305_mod_init(void)
-{
-	if (!boot_cpu_has(X86_FEATURE_XMM2))
-		return -ENODEV;
-
-	return crypto_register_shash(&nhpoly1305_alg);
-}
-
-static void __exit nhpoly1305_mod_exit(void)
-{
-	crypto_unregister_shash(&nhpoly1305_alg);
-}
-
-module_init(nhpoly1305_mod_init);
-module_exit(nhpoly1305_mod_exit);
-
-MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function (SSE2-accelerated)");
-MODULE_LICENSE("GPL v2");
-MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");
-MODULE_ALIAS_CRYPTO("nhpoly1305");
-MODULE_ALIAS_CRYPTO("nhpoly1305-sse2");
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index aa3f850ece24..33cf46bbadc8 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -117,10 +117,11 @@ config CRYPTO_LIB_NH
 config CRYPTO_LIB_NH_ARCH
 	bool
 	depends on CRYPTO_LIB_NH && !UML
 	default y if ARM && KERNEL_MODE_NEON
 	default y if ARM64 && KERNEL_MODE_NEON
+	default y if X86_64
 
 config CRYPTO_LIB_POLY1305
 	tristate
 	help
 	  The Poly1305 library functions.  Select this if your module uses any
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index e3a13952bc2a..45128eccedef 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -135,10 +135,11 @@ obj-$(CONFIG_CRYPTO_LIB_NH) += libnh.o
 libnh-y := nh.o
 ifeq ($(CONFIG_CRYPTO_LIB_NH_ARCH),y)
 CFLAGS_nh.o += -I$(src)/$(SRCARCH)
 libnh-$(CONFIG_ARM) += arm/nh-neon-core.o
 libnh-$(CONFIG_ARM64) += arm64/nh-neon-core.o
+libnh-$(CONFIG_X86) += x86/nh-sse2.o x86/nh-avx2.o
 endif
 
 ################################################################################
 
 obj-$(CONFIG_CRYPTO_LIB_POLY1305) += libpoly1305.o
diff --git a/arch/x86/crypto/nh-avx2-x86_64.S b/lib/crypto/x86/nh-avx2.S
similarity index 98%
rename from arch/x86/crypto/nh-avx2-x86_64.S
rename to lib/crypto/x86/nh-avx2.S
index 791386d9a83a..9c085a31b137 100644
--- a/arch/x86/crypto/nh-avx2-x86_64.S
+++ b/lib/crypto/x86/nh-avx2.S
@@ -6,11 +6,10 @@
  *
  * Author: Eric Biggers <ebiggers@google.com>
  */
 
 #include <linux/linkage.h>
-#include <linux/cfi_types.h>
 
 #define		PASS0_SUMS	%ymm0
 #define		PASS1_SUMS	%ymm1
 #define		PASS2_SUMS	%ymm2
 #define		PASS3_SUMS	%ymm3
@@ -68,11 +67,11 @@
  * void nh_avx2(const u32 *key, const u8 *message, size_t message_len,
  *		__le64 hash[NH_NUM_PASSES])
  *
  * It's guaranteed that message_len % 16 == 0.
  */
-SYM_TYPED_FUNC_START(nh_avx2)
+SYM_FUNC_START(nh_avx2)
 
 	vmovdqu		0x00(KEY), K0
 	vmovdqu		0x10(KEY), K1
 	add		$0x20, KEY
 	vpxor		PASS0_SUMS, PASS0_SUMS, PASS0_SUMS
diff --git a/arch/x86/crypto/nh-sse2-x86_64.S b/lib/crypto/x86/nh-sse2.S
similarity index 97%
rename from arch/x86/crypto/nh-sse2-x86_64.S
rename to lib/crypto/x86/nh-sse2.S
index 75fb994b6d17..d36c0e6d5556 100644
--- a/arch/x86/crypto/nh-sse2-x86_64.S
+++ b/lib/crypto/x86/nh-sse2.S
@@ -6,11 +6,10 @@
  *
  * Author: Eric Biggers <ebiggers@google.com>
  */
 
 #include <linux/linkage.h>
-#include <linux/cfi_types.h>
 
 #define		PASS0_SUMS	%xmm0
 #define		PASS1_SUMS	%xmm1
 #define		PASS2_SUMS	%xmm2
 #define		PASS3_SUMS	%xmm3
@@ -70,11 +69,11 @@
  * void nh_sse2(const u32 *key, const u8 *message, size_t message_len,
  *		__le64 hash[NH_NUM_PASSES])
  *
  * It's guaranteed that message_len % 16 == 0.
  */
-SYM_TYPED_FUNC_START(nh_sse2)
+SYM_FUNC_START(nh_sse2)
 
 	movdqu		0x00(KEY), K0
 	movdqu		0x10(KEY), K1
 	movdqu		0x20(KEY), K2
 	add		$0x30, KEY
diff --git a/lib/crypto/x86/nh.h b/lib/crypto/x86/nh.h
new file mode 100644
index 000000000000..83361c2e9783
--- /dev/null
+++ b/lib/crypto/x86/nh.h
@@ -0,0 +1,45 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * x86_64 accelerated implementation of NH
+ *
+ * Copyright 2018 Google LLC
+ */
+
+#include <asm/fpu/api.h>
+#include <linux/static_call.h>
+
+static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sse2);
+static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_avx2);
+
+asmlinkage void nh_sse2(const u32 *key, const u8 *message, size_t message_len,
+			__le64 hash[NH_NUM_PASSES]);
+asmlinkage void nh_avx2(const u32 *key, const u8 *message, size_t message_len,
+			__le64 hash[NH_NUM_PASSES]);
+
+static bool nh_arch(const u32 *key, const u8 *message, size_t message_len,
+		    __le64 hash[NH_NUM_PASSES])
+{
+	if (message_len >= 64 && static_branch_likely(&have_sse2) &&
+	    irq_fpu_usable()) {
+		kernel_fpu_begin();
+		if (static_branch_likely(&have_avx2))
+			nh_avx2(key, message, message_len, hash);
+		else
+			nh_sse2(key, message, message_len, hash);
+		kernel_fpu_end();
+		return true;
+	}
+	return false;
+}
+
+#define nh_mod_init_arch nh_mod_init_arch
+static void nh_mod_init_arch(void)
+{
+	if (boot_cpu_has(X86_FEATURE_XMM2)) {
+		static_branch_enable(&have_sse2);
+		if (boot_cpu_has(X86_FEATURE_AVX2) &&
+		    cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM,
+				      NULL))
+			static_branch_enable(&have_avx2);
+	}
+}
-- 
2.52.0

[PATCH 06/12] crypto: adiantum - Convert to use NH library

[Eric Biggers]

Reimplement the Adiantum message hashing using the nh() library
function, combined with some code which directly handles the Poly1305
stage.  The latter code is derived from crypto/nhpoly1305.c.

This eliminates the dependency on the "nhpoly1305" crypto_shash
algorithm, which existed only to fit Adiantum message hashing into the
traditional Linux crypto API paradigm.  Now that simple,
architecture-optimized library functions are a well-established option
too, we can switch to this simpler implementation.

Note: I've dropped the support for the optional third parameter of the
adiantum template, which specified the nhpoly1305 implementation.  We
could keep accepting some strings in this parameter for backwards
compatibility, but I don't think it's being used.  I believe only
"adiantum(xchacha12,aes)" and "adiantum(xchacha20,aes)" are used.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/Kconfig    |   2 +-
 crypto/adiantum.c | 295 +++++++++++++++++++++++++++++-----------------
 crypto/testmgr.c  |   4 +-
 3 files changed, 191 insertions(+), 110 deletions(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 2e5b195b1b06..89d1ccaa1fa0 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -599,13 +599,13 @@ endmenu
 menu "Length-preserving ciphers and modes"
 
 config CRYPTO_ADIANTUM
 	tristate "Adiantum"
 	select CRYPTO_CHACHA20
+	select CRYPTO_LIB_NH
 	select CRYPTO_LIB_POLY1305
 	select CRYPTO_LIB_POLY1305_GENERIC
-	select CRYPTO_NHPOLY1305
 	select CRYPTO_MANAGER
 	help
 	  Adiantum tweakable, length-preserving encryption mode
 
 	  Designed for fast and secure disk encryption, especially on
diff --git a/crypto/adiantum.c b/crypto/adiantum.c
index a6bca877c3c7..bbe519fbd739 100644
--- a/crypto/adiantum.c
+++ b/crypto/adiantum.c
@@ -18,27 +18,18 @@
  *
  * For flexibility, this implementation also allows other ciphers:
  *
  *	- Stream cipher: XChaCha12 or XChaCha20
  *	- Block cipher: any with a 128-bit block size and 256-bit key
- *
- * This implementation doesn't currently allow other ε-∆U hash functions, i.e.
- * HPolyC is not supported.  This is because Adiantum is ~20% faster than HPolyC
- * but still provably as secure, and also the ε-∆U hash function of HBSH is
- * formally defined to take two inputs (tweak, message) which makes it difficult
- * to wrap with the crypto_shash API.  Rather, some details need to be handled
- * here.  Nevertheless, if needed in the future, support for other ε-∆U hash
- * functions could be added here.
  */
 
 #include <crypto/b128ops.h>
 #include <crypto/chacha.h>
 #include <crypto/internal/cipher.h>
-#include <crypto/internal/hash.h>
 #include <crypto/internal/poly1305.h>
 #include <crypto/internal/skcipher.h>
-#include <crypto/nhpoly1305.h>
+#include <crypto/nh.h>
 #include <crypto/scatterwalk.h>
 #include <linux/module.h>
 
 /*
  * Size of right-hand part of input data, in bytes; also the size of the block
@@ -48,11 +39,11 @@
 
 /* Size of the block cipher key (K_E) in bytes */
 #define BLOCKCIPHER_KEY_SIZE		32
 
 /* Size of the hash key (K_H) in bytes */
-#define HASH_KEY_SIZE		(POLY1305_BLOCK_SIZE + NHPOLY1305_KEY_SIZE)
+#define HASH_KEY_SIZE		(2 * POLY1305_BLOCK_SIZE + NH_KEY_BYTES)
 
 /*
  * The specification allows variable-length tweaks, but Linux's crypto API
  * currently only allows algorithms to support a single length.  The "natural"
  * tweak length for Adiantum is 16, since that fits into one Poly1305 block for
@@ -62,18 +53,35 @@
 #define TWEAK_SIZE		32
 
 struct adiantum_instance_ctx {
 	struct crypto_skcipher_spawn streamcipher_spawn;
 	struct crypto_cipher_spawn blockcipher_spawn;
-	struct crypto_shash_spawn hash_spawn;
 };
 
 struct adiantum_tfm_ctx {
 	struct crypto_skcipher *streamcipher;
 	struct crypto_cipher *blockcipher;
-	struct crypto_shash *hash;
 	struct poly1305_core_key header_hash_key;
+	struct poly1305_core_key msg_poly_key;
+	u32 nh_key[NH_KEY_WORDS];
+};
+
+struct nhpoly1305_ctx {
+	/* Running total of polynomial evaluation */
+	struct poly1305_state poly_state;
+
+	/* Partial block buffer */
+	u8 buffer[NH_MESSAGE_UNIT];
+	unsigned int buflen;
+
+	/*
+	 * Number of bytes remaining until the current NH message reaches
+	 * NH_MESSAGE_BYTES.  When nonzero, 'nh_hash' holds the partial NH hash.
+	 */
+	unsigned int nh_remaining;
+
+	__le64 nh_hash[NH_NUM_PASSES];
 };
 
 struct adiantum_request_ctx {
 
 	/*
@@ -96,13 +104,16 @@ struct adiantum_request_ctx {
 	 * The result of the Poly1305 ε-∆U hash function applied to
 	 * (bulk length, tweak)
 	 */
 	le128 header_hash;
 
-	/* Sub-requests, must be last */
+	/*
+	 * skcipher sub-request size is unknown at compile-time, so it needs to
+	 * go after the members with known sizes.
+	 */
 	union {
-		struct shash_desc hash_desc;
+		struct nhpoly1305_ctx hash_ctx;
 		struct skcipher_request streamcipher_req;
 	} u;
 };
 
 /*
@@ -168,16 +179,15 @@ static int adiantum_setkey(struct crypto_skcipher *tfm, const u8 *key,
 	keyp += BLOCKCIPHER_KEY_SIZE;
 
 	/* Set the hash key (K_H) */
 	poly1305_core_setkey(&tctx->header_hash_key, keyp);
 	keyp += POLY1305_BLOCK_SIZE;
-
-	crypto_shash_clear_flags(tctx->hash, CRYPTO_TFM_REQ_MASK);
-	crypto_shash_set_flags(tctx->hash, crypto_skcipher_get_flags(tfm) &
-					   CRYPTO_TFM_REQ_MASK);
-	err = crypto_shash_setkey(tctx->hash, keyp, NHPOLY1305_KEY_SIZE);
-	keyp += NHPOLY1305_KEY_SIZE;
+	poly1305_core_setkey(&tctx->msg_poly_key, keyp);
+	keyp += POLY1305_BLOCK_SIZE;
+	for (int i = 0; i < NH_KEY_WORDS; i++)
+		tctx->nh_key[i] = get_unaligned_le32(&keyp[i * 4]);
+	keyp += NH_KEY_BYTES;
 	WARN_ON(keyp != &data->derived_keys[ARRAY_SIZE(data->derived_keys)]);
 out:
 	kfree_sensitive(data);
 	return err;
 }
@@ -241,39 +251,147 @@ static void adiantum_hash_header(struct skcipher_request *req)
 			     TWEAK_SIZE / POLY1305_BLOCK_SIZE, 1);
 
 	poly1305_core_emit(&state, NULL, &rctx->header_hash);
 }
 
-/* Hash the left-hand part (the "bulk") of the message using NHPoly1305 */
-static int adiantum_hash_message(struct skcipher_request *req,
-				 struct scatterlist *sgl, unsigned int nents,
-				 le128 *digest)
+/* Pass the next NH hash value through Poly1305 */
+static void process_nh_hash_value(struct nhpoly1305_ctx *ctx,
+				  const struct adiantum_tfm_ctx *key)
+{
+	static_assert(NH_HASH_BYTES % POLY1305_BLOCK_SIZE == 0);
+
+	poly1305_core_blocks(&ctx->poly_state, &key->msg_poly_key, ctx->nh_hash,
+			     NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1);
+}
+
+/*
+ * Feed the next portion of the message data, as a whole number of 16-byte
+ * "NH message units", through NH and Poly1305.  Each NH hash is taken over
+ * 1024 bytes, except possibly the final one which is taken over a multiple of
+ * 16 bytes up to 1024.  Also, in the case where data is passed in misaligned
+ * chunks, we combine partial hashes; the end result is the same either way.
+ */
+static void nhpoly1305_units(struct nhpoly1305_ctx *ctx,
+			     const struct adiantum_tfm_ctx *key,
+			     const u8 *data, size_t len)
+{
+	do {
+		unsigned int bytes;
+
+		if (ctx->nh_remaining == 0) {
+			/* Starting a new NH message */
+			bytes = min(len, NH_MESSAGE_BYTES);
+			nh(key->nh_key, data, bytes, ctx->nh_hash);
+			ctx->nh_remaining = NH_MESSAGE_BYTES - bytes;
+		} else {
+			/* Continuing a previous NH message */
+			__le64 tmp_hash[NH_NUM_PASSES];
+			unsigned int pos;
+
+			pos = NH_MESSAGE_BYTES - ctx->nh_remaining;
+			bytes = min(len, ctx->nh_remaining);
+			nh(&key->nh_key[pos / 4], data, bytes, tmp_hash);
+			for (int i = 0; i < NH_NUM_PASSES; i++)
+				le64_add_cpu(&ctx->nh_hash[i],
+					     le64_to_cpu(tmp_hash[i]));
+			ctx->nh_remaining -= bytes;
+		}
+		if (ctx->nh_remaining == 0)
+			process_nh_hash_value(ctx, key);
+		data += bytes;
+		len -= bytes;
+	} while (len);
+}
+
+static void nhpoly1305_init(struct nhpoly1305_ctx *ctx)
+{
+	poly1305_core_init(&ctx->poly_state);
+	ctx->buflen = 0;
+	ctx->nh_remaining = 0;
+}
+
+static void nhpoly1305_update(struct nhpoly1305_ctx *ctx,
+			      const struct adiantum_tfm_ctx *key,
+			      const u8 *data, size_t len)
 {
+	unsigned int bytes;
+
+	if (ctx->buflen) {
+		bytes = min(len, (int)NH_MESSAGE_UNIT - ctx->buflen);
+		memcpy(&ctx->buffer[ctx->buflen], data, bytes);
+		ctx->buflen += bytes;
+		if (ctx->buflen < NH_MESSAGE_UNIT)
+			return;
+		nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT);
+		ctx->buflen = 0;
+		data += bytes;
+		len -= bytes;
+	}
+
+	if (len >= NH_MESSAGE_UNIT) {
+		bytes = round_down(len, NH_MESSAGE_UNIT);
+		nhpoly1305_units(ctx, key, data, bytes);
+		data += bytes;
+		len -= bytes;
+	}
+
+	if (len) {
+		memcpy(ctx->buffer, data, len);
+		ctx->buflen = len;
+	}
+}
+
+static void nhpoly1305_final(struct nhpoly1305_ctx *ctx,
+			     const struct adiantum_tfm_ctx *key, le128 *out)
+{
+	if (ctx->buflen) {
+		memset(&ctx->buffer[ctx->buflen], 0,
+		       NH_MESSAGE_UNIT - ctx->buflen);
+		nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT);
+	}
+
+	if (ctx->nh_remaining)
+		process_nh_hash_value(ctx, key);
+
+	poly1305_core_emit(&ctx->poly_state, NULL, out);
+}
+
+/*
+ * Hash the left-hand part (the "bulk") of the message as follows:
+ *
+ *	H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L)))
+ *
+ * See section 6.4 of the Adiantum paper.  This is an ε-almost-∆-universal
+ * (ε-∆U) hash function for equal-length inputs over Z/(2^{128}Z), where the "∆"
+ * operation is addition.  It hashes 1024-byte chunks of the input with the NH
+ * hash function, reducing the input length by 32x.  The resulting NH hashes are
+ * evaluated as a polynomial in GF(2^{130}-5), like in the Poly1305 MAC.  Note
+ * that the polynomial evaluation by itself would suffice to achieve the ε-∆U
+ * property; NH is used for performance since it's much faster than Poly1305.
+ */
+static void adiantum_hash_message(struct skcipher_request *req,
+				  struct scatterlist *sgl, unsigned int nents,
+				  le128 *out)
+{
+	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+	const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 	struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
 	const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
-	struct shash_desc *hash_desc = &rctx->u.hash_desc;
 	struct sg_mapping_iter miter;
 	unsigned int i, n;
-	int err;
 
-	err = crypto_shash_init(hash_desc);
-	if (err)
-		return err;
+	nhpoly1305_init(&rctx->u.hash_ctx);
 
 	sg_miter_start(&miter, sgl, nents, SG_MITER_FROM_SG | SG_MITER_ATOMIC);
 	for (i = 0; i < bulk_len; i += n) {
 		sg_miter_next(&miter);
 		n = min_t(unsigned int, miter.length, bulk_len - i);
-		err = crypto_shash_update(hash_desc, miter.addr, n);
-		if (err)
-			break;
+		nhpoly1305_update(&rctx->u.hash_ctx, tctx, miter.addr, n);
 	}
 	sg_miter_stop(&miter);
-	if (err)
-		return err;
 
-	return crypto_shash_final(hash_desc, (u8 *)digest);
+	nhpoly1305_final(&rctx->u.hash_ctx, tctx, out);
 }
 
 /* Continue Adiantum encryption/decryption after the stream cipher step */
 static int adiantum_finish(struct skcipher_request *req)
 {
@@ -282,11 +400,10 @@ static int adiantum_finish(struct skcipher_request *req)
 	struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
 	const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
 	struct scatterlist *dst = req->dst;
 	const unsigned int dst_nents = sg_nents(dst);
 	le128 digest;
-	int err;
 
 	/* If decrypting, decrypt C_M with the block cipher to get P_M */
 	if (!rctx->enc)
 		crypto_cipher_decrypt_one(tctx->blockcipher, rctx->rbuf.bytes,
 					  rctx->rbuf.bytes);
@@ -294,32 +411,26 @@ static int adiantum_finish(struct skcipher_request *req)
 	/*
 	 * Second hash step
 	 *	enc: C_R = C_M - H_{K_H}(T, C_L)
 	 *	dec: P_R = P_M - H_{K_H}(T, P_L)
 	 */
-	rctx->u.hash_desc.tfm = tctx->hash;
 	le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash);
 	if (dst_nents == 1 && dst->offset + req->cryptlen <= PAGE_SIZE) {
 		/* Fast path for single-page destination */
 		struct page *page = sg_page(dst);
 		void *virt = kmap_local_page(page) + dst->offset;
 
-		err = crypto_shash_digest(&rctx->u.hash_desc, virt, bulk_len,
-					  (u8 *)&digest);
-		if (err) {
-			kunmap_local(virt);
-			return err;
-		}
+		nhpoly1305_init(&rctx->u.hash_ctx);
+		nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len);
+		nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest);
 		le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
 		memcpy(virt + bulk_len, &rctx->rbuf.bignum, sizeof(le128));
 		flush_dcache_page(page);
 		kunmap_local(virt);
 	} else {
 		/* Slow path that works for any destination scatterlist */
-		err = adiantum_hash_message(req, dst, dst_nents, &digest);
-		if (err)
-			return err;
+		adiantum_hash_message(req, dst, dst_nents, &digest);
 		le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
 		scatterwalk_map_and_copy(&rctx->rbuf.bignum, dst,
 					 bulk_len, sizeof(le128), 1);
 	}
 	return 0;
@@ -343,11 +454,10 @@ static int adiantum_crypt(struct skcipher_request *req, bool enc)
 	const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
 	struct scatterlist *src = req->src;
 	const unsigned int src_nents = sg_nents(src);
 	unsigned int stream_len;
 	le128 digest;
-	int err;
 
 	if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE)
 		return -EINVAL;
 
 	rctx->enc = enc;
@@ -356,27 +466,25 @@ static int adiantum_crypt(struct skcipher_request *req, bool enc)
 	 * First hash step
 	 *	enc: P_M = P_R + H_{K_H}(T, P_L)
 	 *	dec: C_M = C_R + H_{K_H}(T, C_L)
 	 */
 	adiantum_hash_header(req);
-	rctx->u.hash_desc.tfm = tctx->hash;
 	if (src_nents == 1 && src->offset + req->cryptlen <= PAGE_SIZE) {
 		/* Fast path for single-page source */
 		void *virt = kmap_local_page(sg_page(src)) + src->offset;
 
-		err = crypto_shash_digest(&rctx->u.hash_desc, virt, bulk_len,
-					  (u8 *)&digest);
+		nhpoly1305_init(&rctx->u.hash_ctx);
+		nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len);
+		nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest);
 		memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128));
 		kunmap_local(virt);
 	} else {
 		/* Slow path that works for any source scatterlist */
-		err = adiantum_hash_message(req, src, src_nents, &digest);
+		adiantum_hash_message(req, src, src_nents, &digest);
 		scatterwalk_map_and_copy(&rctx->rbuf.bignum, src,
 					 bulk_len, sizeof(le128), 0);
 	}
-	if (err)
-		return err;
 	le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash);
 	le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
 
 	/* If encrypting, encrypt P_M with the block cipher to get C_M */
 	if (enc)
@@ -429,12 +537,10 @@ static int adiantum_init_tfm(struct crypto_skcipher *tfm)
 	struct skcipher_instance *inst = skcipher_alg_instance(tfm);
 	struct adiantum_instance_ctx *ictx = skcipher_instance_ctx(inst);
 	struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 	struct crypto_skcipher *streamcipher;
 	struct crypto_cipher *blockcipher;
-	struct crypto_shash *hash;
-	unsigned int subreq_size;
 	int err;
 
 	streamcipher = crypto_spawn_skcipher(&ictx->streamcipher_spawn);
 	if (IS_ERR(streamcipher))
 		return PTR_ERR(streamcipher);
@@ -443,36 +549,22 @@ static int adiantum_init_tfm(struct crypto_skcipher *tfm)
 	if (IS_ERR(blockcipher)) {
 		err = PTR_ERR(blockcipher);
 		goto err_free_streamcipher;
 	}
 
-	hash = crypto_spawn_shash(&ictx->hash_spawn);
-	if (IS_ERR(hash)) {
-		err = PTR_ERR(hash);
-		goto err_free_blockcipher;
-	}
-
 	tctx->streamcipher = streamcipher;
 	tctx->blockcipher = blockcipher;
-	tctx->hash = hash;
 
 	BUILD_BUG_ON(offsetofend(struct adiantum_request_ctx, u) !=
 		     sizeof(struct adiantum_request_ctx));
-	subreq_size = max(sizeof_field(struct adiantum_request_ctx,
-				       u.hash_desc) +
-			  crypto_shash_descsize(hash),
-			  sizeof_field(struct adiantum_request_ctx,
-				       u.streamcipher_req) +
-			  crypto_skcipher_reqsize(streamcipher));
-
-	crypto_skcipher_set_reqsize(tfm,
-				    offsetof(struct adiantum_request_ctx, u) +
-				    subreq_size);
+	crypto_skcipher_set_reqsize(
+		tfm, max(sizeof(struct adiantum_request_ctx),
+			 offsetofend(struct adiantum_request_ctx,
+				     u.streamcipher_req) +
+				 crypto_skcipher_reqsize(streamcipher)));
 	return 0;
 
-err_free_blockcipher:
-	crypto_free_cipher(blockcipher);
 err_free_streamcipher:
 	crypto_free_skcipher(streamcipher);
 	return err;
 }
 
@@ -480,30 +572,28 @@ static void adiantum_exit_tfm(struct crypto_skcipher *tfm)
 {
 	struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 
 	crypto_free_skcipher(tctx->streamcipher);
 	crypto_free_cipher(tctx->blockcipher);
-	crypto_free_shash(tctx->hash);
 }
 
 static void adiantum_free_instance(struct skcipher_instance *inst)
 {
 	struct adiantum_instance_ctx *ictx = skcipher_instance_ctx(inst);
 
 	crypto_drop_skcipher(&ictx->streamcipher_spawn);
 	crypto_drop_cipher(&ictx->blockcipher_spawn);
-	crypto_drop_shash(&ictx->hash_spawn);
 	kfree(inst);
 }
 
 /*
  * Check for a supported set of inner algorithms.
  * See the comment at the beginning of this file.
  */
-static bool adiantum_supported_algorithms(struct skcipher_alg_common *streamcipher_alg,
-					  struct crypto_alg *blockcipher_alg,
-					  struct shash_alg *hash_alg)
+static bool
+adiantum_supported_algorithms(struct skcipher_alg_common *streamcipher_alg,
+			      struct crypto_alg *blockcipher_alg)
 {
 	if (strcmp(streamcipher_alg->base.cra_name, "xchacha12") != 0 &&
 	    strcmp(streamcipher_alg->base.cra_name, "xchacha20") != 0)
 		return false;
 
@@ -511,25 +601,20 @@ static bool adiantum_supported_algorithms(struct skcipher_alg_common *streamciph
 	    blockcipher_alg->cra_cipher.cia_max_keysize < BLOCKCIPHER_KEY_SIZE)
 		return false;
 	if (blockcipher_alg->cra_blocksize != BLOCKCIPHER_BLOCK_SIZE)
 		return false;
 
-	if (strcmp(hash_alg->base.cra_name, "nhpoly1305") != 0)
-		return false;
-
 	return true;
 }
 
 static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb)
 {
 	u32 mask;
-	const char *nhpoly1305_name;
 	struct skcipher_instance *inst;
 	struct adiantum_instance_ctx *ictx;
 	struct skcipher_alg_common *streamcipher_alg;
 	struct crypto_alg *blockcipher_alg;
-	struct shash_alg *hash_alg;
 	int err;
 
 	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SKCIPHER, &mask);
 	if (err)
 		return err;
@@ -553,27 +638,25 @@ static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb)
 				 crypto_attr_alg_name(tb[2]), 0, mask);
 	if (err)
 		goto err_free_inst;
 	blockcipher_alg = crypto_spawn_cipher_alg(&ictx->blockcipher_spawn);
 
-	/* NHPoly1305 ε-∆U hash function */
-	nhpoly1305_name = crypto_attr_alg_name(tb[3]);
-	if (nhpoly1305_name == ERR_PTR(-ENOENT))
-		nhpoly1305_name = "nhpoly1305";
-	err = crypto_grab_shash(&ictx->hash_spawn,
-				skcipher_crypto_instance(inst),
-				nhpoly1305_name, 0, mask);
-	if (err)
+	/*
+	 * Originally there was an optional third parameter, for requesting a
+	 * specific implementation of "nhpoly1305" for message hashing.  This is
+	 * no longer supported.  The best implementation is just always used.
+	 */
+	if (crypto_attr_alg_name(tb[3]) != ERR_PTR(-ENOENT)) {
+		err = -ENOENT;
 		goto err_free_inst;
-	hash_alg = crypto_spawn_shash_alg(&ictx->hash_spawn);
+	}
 
 	/* Check the set of algorithms */
-	if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg,
-					   hash_alg)) {
-		pr_warn("Unsupported Adiantum instantiation: (%s,%s,%s)\n",
+	if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg)) {
+		pr_warn("Unsupported Adiantum instantiation: (%s,%s)\n",
 			streamcipher_alg->base.cra_name,
-			blockcipher_alg->cra_name, hash_alg->base.cra_name);
+			blockcipher_alg->cra_name);
 		err = -EINVAL;
 		goto err_free_inst;
 	}
 
 	/* Instance fields */
@@ -582,28 +665,26 @@ static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb)
 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
 		     "adiantum(%s,%s)", streamcipher_alg->base.cra_name,
 		     blockcipher_alg->cra_name) >= CRYPTO_MAX_ALG_NAME)
 		goto err_free_inst;
 	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
-		     "adiantum(%s,%s,%s)",
-		     streamcipher_alg->base.cra_driver_name,
-		     blockcipher_alg->cra_driver_name,
-		     hash_alg->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
+		     "adiantum(%s,%s)", streamcipher_alg->base.cra_driver_name,
+		     blockcipher_alg->cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
 		goto err_free_inst;
 
 	inst->alg.base.cra_blocksize = BLOCKCIPHER_BLOCK_SIZE;
 	inst->alg.base.cra_ctxsize = sizeof(struct adiantum_tfm_ctx);
 	inst->alg.base.cra_alignmask = streamcipher_alg->base.cra_alignmask;
 	/*
 	 * The block cipher is only invoked once per message, so for long
 	 * messages (e.g. sectors for disk encryption) its performance doesn't
-	 * matter as much as that of the stream cipher and hash function.  Thus,
-	 * weigh the block cipher's ->cra_priority less.
+	 * matter as much as that of the stream cipher.  Thus, weigh the block
+	 * cipher's ->cra_priority less.
 	 */
 	inst->alg.base.cra_priority = (4 * streamcipher_alg->base.cra_priority +
-				       2 * hash_alg->base.cra_priority +
-				       blockcipher_alg->cra_priority) / 7;
+				       blockcipher_alg->cra_priority) /
+				      5;
 
 	inst->alg.setkey = adiantum_setkey;
 	inst->alg.encrypt = adiantum_encrypt;
 	inst->alg.decrypt = adiantum_decrypt;
 	inst->alg.init = adiantum_init_tfm;
@@ -620,11 +701,11 @@ static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb)
 		adiantum_free_instance(inst);
 	}
 	return err;
 }
 
-/* adiantum(streamcipher_name, blockcipher_name [, nhpoly1305_name]) */
+/* adiantum(streamcipher_name, blockcipher_name) */
 static struct crypto_template adiantum_tmpl = {
 	.name = "adiantum",
 	.create = adiantum_create,
 	.module = THIS_MODULE,
 };
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index a302be53896d..d9fc671d5941 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -4059,18 +4059,18 @@ static int alg_test_null(const struct alg_test_desc *desc,
 
 /* Please keep this list sorted by algorithm name. */
 static const struct alg_test_desc alg_test_descs[] = {
 	{
 		.alg = "adiantum(xchacha12,aes)",
-		.generic_driver = "adiantum(xchacha12-lib,aes-generic,nhpoly1305-generic)",
+		.generic_driver = "adiantum(xchacha12-lib,aes-generic)",
 		.test = alg_test_skcipher,
 		.suite = {
 			.cipher = __VECS(adiantum_xchacha12_aes_tv_template)
 		},
 	}, {
 		.alg = "adiantum(xchacha20,aes)",
-		.generic_driver = "adiantum(xchacha20-lib,aes-generic,nhpoly1305-generic)",
+		.generic_driver = "adiantum(xchacha20-lib,aes-generic)",
 		.test = alg_test_skcipher,
 		.suite = {
 			.cipher = __VECS(adiantum_xchacha20_aes_tv_template)
 		},
 	}, {
-- 
2.52.0

[PATCH 07/12] crypto: adiantum - Use scatter_walk API instead of sg_miter

[Eric Biggers]

Make adiantum_hash_message() use the scatter_walk API instead of
sg_miter.  scatter_walk is a bit simpler and also more efficient.  For
example, unlike sg_miter, scatter_walk doesn't require that the number
of scatterlist entries be calculated up-front.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/adiantum.c | 33 +++++++++++++++------------------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/crypto/adiantum.c b/crypto/adiantum.c
index bbe519fbd739..519e95228ad8 100644
--- a/crypto/adiantum.c
+++ b/crypto/adiantum.c
@@ -367,30 +367,27 @@ static void nhpoly1305_final(struct nhpoly1305_ctx *ctx,
  * evaluated as a polynomial in GF(2^{130}-5), like in the Poly1305 MAC.  Note
  * that the polynomial evaluation by itself would suffice to achieve the ε-∆U
  * property; NH is used for performance since it's much faster than Poly1305.
  */
 static void adiantum_hash_message(struct skcipher_request *req,
-				  struct scatterlist *sgl, unsigned int nents,
-				  le128 *out)
+				  struct scatterlist *sgl, le128 *out)
 {
 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
 	const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 	struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
-	const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
-	struct sg_mapping_iter miter;
-	unsigned int i, n;
+	unsigned int len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
+	struct scatter_walk walk;
 
 	nhpoly1305_init(&rctx->u.hash_ctx);
+	scatterwalk_start(&walk, sgl);
+	while (len) {
+		unsigned int n = scatterwalk_next(&walk, len);
 
-	sg_miter_start(&miter, sgl, nents, SG_MITER_FROM_SG | SG_MITER_ATOMIC);
-	for (i = 0; i < bulk_len; i += n) {
-		sg_miter_next(&miter);
-		n = min_t(unsigned int, miter.length, bulk_len - i);
-		nhpoly1305_update(&rctx->u.hash_ctx, tctx, miter.addr, n);
+		nhpoly1305_update(&rctx->u.hash_ctx, tctx, walk.addr, n);
+		scatterwalk_done_src(&walk, n);
+		len -= n;
 	}
-	sg_miter_stop(&miter);
-
 	nhpoly1305_final(&rctx->u.hash_ctx, tctx, out);
 }
 
 /* Continue Adiantum encryption/decryption after the stream cipher step */
 static int adiantum_finish(struct skcipher_request *req)
@@ -398,11 +395,10 @@ static int adiantum_finish(struct skcipher_request *req)
 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
 	const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 	struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
 	const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
 	struct scatterlist *dst = req->dst;
-	const unsigned int dst_nents = sg_nents(dst);
 	le128 digest;
 
 	/* If decrypting, decrypt C_M with the block cipher to get P_M */
 	if (!rctx->enc)
 		crypto_cipher_decrypt_one(tctx->blockcipher, rctx->rbuf.bytes,
@@ -412,11 +408,12 @@ static int adiantum_finish(struct skcipher_request *req)
 	 * Second hash step
 	 *	enc: C_R = C_M - H_{K_H}(T, C_L)
 	 *	dec: P_R = P_M - H_{K_H}(T, P_L)
 	 */
 	le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash);
-	if (dst_nents == 1 && dst->offset + req->cryptlen <= PAGE_SIZE) {
+	if (dst->length >= req->cryptlen &&
+	    dst->offset + req->cryptlen <= PAGE_SIZE) {
 		/* Fast path for single-page destination */
 		struct page *page = sg_page(dst);
 		void *virt = kmap_local_page(page) + dst->offset;
 
 		nhpoly1305_init(&rctx->u.hash_ctx);
@@ -426,11 +423,11 @@ static int adiantum_finish(struct skcipher_request *req)
 		memcpy(virt + bulk_len, &rctx->rbuf.bignum, sizeof(le128));
 		flush_dcache_page(page);
 		kunmap_local(virt);
 	} else {
 		/* Slow path that works for any destination scatterlist */
-		adiantum_hash_message(req, dst, dst_nents, &digest);
+		adiantum_hash_message(req, dst, &digest);
 		le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
 		scatterwalk_map_and_copy(&rctx->rbuf.bignum, dst,
 					 bulk_len, sizeof(le128), 1);
 	}
 	return 0;
@@ -451,11 +448,10 @@ static int adiantum_crypt(struct skcipher_request *req, bool enc)
 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
 	const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 	struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
 	const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
 	struct scatterlist *src = req->src;
-	const unsigned int src_nents = sg_nents(src);
 	unsigned int stream_len;
 	le128 digest;
 
 	if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE)
 		return -EINVAL;
@@ -466,22 +462,23 @@ static int adiantum_crypt(struct skcipher_request *req, bool enc)
 	 * First hash step
 	 *	enc: P_M = P_R + H_{K_H}(T, P_L)
 	 *	dec: C_M = C_R + H_{K_H}(T, C_L)
 	 */
 	adiantum_hash_header(req);
-	if (src_nents == 1 && src->offset + req->cryptlen <= PAGE_SIZE) {
+	if (src->length >= req->cryptlen &&
+	    src->offset + req->cryptlen <= PAGE_SIZE) {
 		/* Fast path for single-page source */
 		void *virt = kmap_local_page(sg_page(src)) + src->offset;
 
 		nhpoly1305_init(&rctx->u.hash_ctx);
 		nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len);
 		nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest);
 		memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128));
 		kunmap_local(virt);
 	} else {
 		/* Slow path that works for any source scatterlist */
-		adiantum_hash_message(req, src, src_nents, &digest);
+		adiantum_hash_message(req, src, &digest);
 		scatterwalk_map_and_copy(&rctx->rbuf.bignum, src,
 					 bulk_len, sizeof(le128), 0);
 	}
 	le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash);
 	le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
-- 
2.52.0

[PATCH 08/12] crypto: adiantum - Use memcpy_{to,from}_sglist()

[Eric Biggers]

Call the newer, easier-to-read functions memcpy_to_sglist() and
memcpy_from_sglist() directly instead of calling
scatterwalk_map_and_copy().  No change in behavior.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/adiantum.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/adiantum.c b/crypto/adiantum.c
index 519e95228ad8..6d882f926ab0 100644
--- a/crypto/adiantum.c
+++ b/crypto/adiantum.c
@@ -425,12 +425,12 @@ static int adiantum_finish(struct skcipher_request *req)
 		kunmap_local(virt);
 	} else {
 		/* Slow path that works for any destination scatterlist */
 		adiantum_hash_message(req, dst, &digest);
 		le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
-		scatterwalk_map_and_copy(&rctx->rbuf.bignum, dst,
-					 bulk_len, sizeof(le128), 1);
+		memcpy_to_sglist(dst, bulk_len, &rctx->rbuf.bignum,
+				 sizeof(le128));
 	}
 	return 0;
 }
 
 static void adiantum_streamcipher_done(void *data, int err)
@@ -475,12 +475,12 @@ static int adiantum_crypt(struct skcipher_request *req, bool enc)
 		memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128));
 		kunmap_local(virt);
 	} else {
 		/* Slow path that works for any source scatterlist */
 		adiantum_hash_message(req, src, &digest);
-		scatterwalk_map_and_copy(&rctx->rbuf.bignum, src,
-					 bulk_len, sizeof(le128), 0);
+		memcpy_from_sglist(&rctx->rbuf.bignum, src, bulk_len,
+				   sizeof(le128));
 	}
 	le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash);
 	le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
 
 	/* If encrypting, encrypt P_M with the block cipher to get C_M */
-- 
2.52.0

Re: [PATCH 08/12] crypto: adiantum - Use memcpy_{to,from}_sglist()

[Herbert Xu]

On Wed, Dec 10, 2025 at 05:18:40PM -0800, Eric Biggers wrote:
> Call the newer, easier-to-read functions memcpy_to_sglist() and
> memcpy_from_sglist() directly instead of calling
> scatterwalk_map_and_copy().  No change in behavior.
> 
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
>  crypto/adiantum.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH 09/12] crypto: adiantum - Drop support for asynchronous xchacha ciphers

[Eric Biggers]

This feature isn't useful in practice.  Simplify and streamline the code
in the synchronous case, i.e. the case that actually matters, instead.

For example, by no longer having to support resuming the calculation
after an asynchronous return of the xchacha cipher, we can just keep
more of the state on the stack instead of in the request context.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/adiantum.c | 174 +++++++++++++++++++---------------------------
 1 file changed, 70 insertions(+), 104 deletions(-)

diff --git a/crypto/adiantum.c b/crypto/adiantum.c
index 6d882f926ab0..5ddf585abb66 100644
--- a/crypto/adiantum.c
+++ b/crypto/adiantum.c
@@ -81,33 +81,10 @@ struct nhpoly1305_ctx {
 
 	__le64 nh_hash[NH_NUM_PASSES];
 };
 
 struct adiantum_request_ctx {
-
-	/*
-	 * Buffer for right-hand part of data, i.e.
-	 *
-	 *    P_L => P_M => C_M => C_R when encrypting, or
-	 *    C_R => C_M => P_M => P_L when decrypting.
-	 *
-	 * Also used to build the IV for the stream cipher.
-	 */
-	union {
-		u8 bytes[XCHACHA_IV_SIZE];
-		__le32 words[XCHACHA_IV_SIZE / sizeof(__le32)];
-		le128 bignum;	/* interpret as element of Z/(2^{128}Z) */
-	} rbuf;
-
-	bool enc; /* true if encrypting, false if decrypting */
-
-	/*
-	 * The result of the Poly1305 ε-∆U hash function applied to
-	 * (bulk length, tweak)
-	 */
-	le128 header_hash;
-
 	/*
 	 * skcipher sub-request size is unknown at compile-time, so it needs to
 	 * go after the members with known sizes.
 	 */
 	union {
@@ -214,25 +191,24 @@ static inline void le128_sub(le128 *r, const le128 *v1, const le128 *v2)
 			   (x - y > x));
 }
 
 /*
  * Apply the Poly1305 ε-∆U hash function to (bulk length, tweak) and save the
- * result to rctx->header_hash.  This is the calculation
+ * result to @out.  This is the calculation
  *
  *	H_T ← Poly1305_{K_T}(bin_{128}(|L|) || T)
  *
  * from the procedure in section 6.4 of the Adiantum paper.  The resulting value
  * is reused in both the first and second hash steps.  Specifically, it's added
  * to the result of an independently keyed ε-∆U hash function (for equal length
  * inputs only) taken over the left-hand part (the "bulk") of the message, to
  * give the overall Adiantum hash of the (tweak, left-hand part) pair.
  */
-static void adiantum_hash_header(struct skcipher_request *req)
+static void adiantum_hash_header(struct skcipher_request *req, le128 *out)
 {
 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
 	const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
-	struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
 	const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
 	struct {
 		__le64 message_bits;
 		__le64 padding;
 	} header = {
@@ -248,11 +224,11 @@ static void adiantum_hash_header(struct skcipher_request *req)
 
 	BUILD_BUG_ON(TWEAK_SIZE % POLY1305_BLOCK_SIZE != 0);
 	poly1305_core_blocks(&state, &tctx->header_hash_key, req->iv,
 			     TWEAK_SIZE / POLY1305_BLOCK_SIZE, 1);
 
-	poly1305_core_emit(&state, NULL, &rctx->header_hash);
+	poly1305_core_emit(&state, NULL, out);
 }
 
 /* Pass the next NH hash value through Poly1305 */
 static void process_nh_hash_value(struct nhpoly1305_ctx *ctx,
 				  const struct adiantum_tfm_ctx *key)
@@ -387,116 +363,73 @@ static void adiantum_hash_message(struct skcipher_request *req,
 		len -= n;
 	}
 	nhpoly1305_final(&rctx->u.hash_ctx, tctx, out);
 }
 
-/* Continue Adiantum encryption/decryption after the stream cipher step */
-static int adiantum_finish(struct skcipher_request *req)
+static int adiantum_crypt(struct skcipher_request *req, bool enc)
 {
 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
 	const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
 	struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
 	const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
-	struct scatterlist *dst = req->dst;
-	le128 digest;
-
-	/* If decrypting, decrypt C_M with the block cipher to get P_M */
-	if (!rctx->enc)
-		crypto_cipher_decrypt_one(tctx->blockcipher, rctx->rbuf.bytes,
-					  rctx->rbuf.bytes);
-
+	struct scatterlist *src = req->src, *dst = req->dst;
 	/*
-	 * Second hash step
-	 *	enc: C_R = C_M - H_{K_H}(T, C_L)
-	 *	dec: P_R = P_M - H_{K_H}(T, P_L)
+	 * Buffer for right-hand part of data, i.e.
+	 *
+	 *    P_L => P_M => C_M => C_R when encrypting, or
+	 *    C_R => C_M => P_M => P_L when decrypting.
+	 *
+	 * Also used to build the IV for the stream cipher.
 	 */
-	le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash);
-	if (dst->length >= req->cryptlen &&
-	    dst->offset + req->cryptlen <= PAGE_SIZE) {
-		/* Fast path for single-page destination */
-		struct page *page = sg_page(dst);
-		void *virt = kmap_local_page(page) + dst->offset;
-
-		nhpoly1305_init(&rctx->u.hash_ctx);
-		nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len);
-		nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest);
-		le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
-		memcpy(virt + bulk_len, &rctx->rbuf.bignum, sizeof(le128));
-		flush_dcache_page(page);
-		kunmap_local(virt);
-	} else {
-		/* Slow path that works for any destination scatterlist */
-		adiantum_hash_message(req, dst, &digest);
-		le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
-		memcpy_to_sglist(dst, bulk_len, &rctx->rbuf.bignum,
-				 sizeof(le128));
-	}
-	return 0;
-}
-
-static void adiantum_streamcipher_done(void *data, int err)
-{
-	struct skcipher_request *req = data;
-
-	if (!err)
-		err = adiantum_finish(req);
-
-	skcipher_request_complete(req, err);
-}
-
-static int adiantum_crypt(struct skcipher_request *req, bool enc)
-{
-	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
-	const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm);
-	struct adiantum_request_ctx *rctx = skcipher_request_ctx(req);
-	const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE;
-	struct scatterlist *src = req->src;
+	union {
+		u8 bytes[XCHACHA_IV_SIZE];
+		__le32 words[XCHACHA_IV_SIZE / sizeof(__le32)];
+		le128 bignum; /* interpret as element of Z/(2^{128}Z) */
+	} rbuf;
+	le128 header_hash, msg_hash;
 	unsigned int stream_len;
-	le128 digest;
+	int err;
 
 	if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE)
 		return -EINVAL;
 
-	rctx->enc = enc;
-
 	/*
 	 * First hash step
 	 *	enc: P_M = P_R + H_{K_H}(T, P_L)
 	 *	dec: C_M = C_R + H_{K_H}(T, C_L)
 	 */
-	adiantum_hash_header(req);
+	adiantum_hash_header(req, &header_hash);
 	if (src->length >= req->cryptlen &&
 	    src->offset + req->cryptlen <= PAGE_SIZE) {
 		/* Fast path for single-page source */
 		void *virt = kmap_local_page(sg_page(src)) + src->offset;
 
 		nhpoly1305_init(&rctx->u.hash_ctx);
 		nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len);
-		nhpoly1305_final(&rctx->u.hash_ctx, tctx, &digest);
-		memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128));
+		nhpoly1305_final(&rctx->u.hash_ctx, tctx, &msg_hash);
+		memcpy(&rbuf.bignum, virt + bulk_len, sizeof(le128));
 		kunmap_local(virt);
 	} else {
 		/* Slow path that works for any source scatterlist */
-		adiantum_hash_message(req, src, &digest);
-		memcpy_from_sglist(&rctx->rbuf.bignum, src, bulk_len,
-				   sizeof(le128));
+		adiantum_hash_message(req, src, &msg_hash);
+		memcpy_from_sglist(&rbuf.bignum, src, bulk_len, sizeof(le128));
 	}
-	le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash);
-	le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest);
+	le128_add(&rbuf.bignum, &rbuf.bignum, &header_hash);
+	le128_add(&rbuf.bignum, &rbuf.bignum, &msg_hash);
 
 	/* If encrypting, encrypt P_M with the block cipher to get C_M */
 	if (enc)
-		crypto_cipher_encrypt_one(tctx->blockcipher, rctx->rbuf.bytes,
-					  rctx->rbuf.bytes);
+		crypto_cipher_encrypt_one(tctx->blockcipher, rbuf.bytes,
+					  rbuf.bytes);
 
 	/* Initialize the rest of the XChaCha IV (first part is C_M) */
 	BUILD_BUG_ON(BLOCKCIPHER_BLOCK_SIZE != 16);
 	BUILD_BUG_ON(XCHACHA_IV_SIZE != 32);	/* nonce || stream position */
-	rctx->rbuf.words[4] = cpu_to_le32(1);
-	rctx->rbuf.words[5] = 0;
-	rctx->rbuf.words[6] = 0;
-	rctx->rbuf.words[7] = 0;
+	rbuf.words[4] = cpu_to_le32(1);
+	rbuf.words[5] = 0;
+	rbuf.words[6] = 0;
+	rbuf.words[7] = 0;
 
 	/*
 	 * XChaCha needs to be done on all the data except the last 16 bytes;
 	 * for disk encryption that usually means 4080 or 496 bytes.  But ChaCha
 	 * implementations tend to be most efficient when passed a whole number
@@ -509,16 +442,48 @@ static int adiantum_crypt(struct skcipher_request *req, bool enc)
 	if (round_up(stream_len, CHACHA_BLOCK_SIZE) <= req->cryptlen)
 		stream_len = round_up(stream_len, CHACHA_BLOCK_SIZE);
 
 	skcipher_request_set_tfm(&rctx->u.streamcipher_req, tctx->streamcipher);
 	skcipher_request_set_crypt(&rctx->u.streamcipher_req, req->src,
-				   req->dst, stream_len, &rctx->rbuf);
+				   req->dst, stream_len, &rbuf);
 	skcipher_request_set_callback(&rctx->u.streamcipher_req,
-				      req->base.flags,
-				      adiantum_streamcipher_done, req);
-	return crypto_skcipher_encrypt(&rctx->u.streamcipher_req) ?:
-		adiantum_finish(req);
+				      req->base.flags, NULL, NULL);
+	err = crypto_skcipher_encrypt(&rctx->u.streamcipher_req);
+	if (err)
+		return err;
+
+	/* If decrypting, decrypt C_M with the block cipher to get P_M */
+	if (!enc)
+		crypto_cipher_decrypt_one(tctx->blockcipher, rbuf.bytes,
+					  rbuf.bytes);
+
+	/*
+	 * Second hash step
+	 *	enc: C_R = C_M - H_{K_H}(T, C_L)
+	 *	dec: P_R = P_M - H_{K_H}(T, P_L)
+	 */
+	le128_sub(&rbuf.bignum, &rbuf.bignum, &header_hash);
+	if (dst->length >= req->cryptlen &&
+	    dst->offset + req->cryptlen <= PAGE_SIZE) {
+		/* Fast path for single-page destination */
+		struct page *page = sg_page(dst);
+		void *virt = kmap_local_page(page) + dst->offset;
+
+		nhpoly1305_init(&rctx->u.hash_ctx);
+		nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len);
+		nhpoly1305_final(&rctx->u.hash_ctx, tctx, &msg_hash);
+		le128_sub(&rbuf.bignum, &rbuf.bignum, &msg_hash);
+		memcpy(virt + bulk_len, &rbuf.bignum, sizeof(le128));
+		flush_dcache_page(page);
+		kunmap_local(virt);
+	} else {
+		/* Slow path that works for any destination scatterlist */
+		adiantum_hash_message(req, dst, &msg_hash);
+		le128_sub(&rbuf.bignum, &rbuf.bignum, &msg_hash);
+		memcpy_to_sglist(dst, bulk_len, &rbuf.bignum, sizeof(le128));
+	}
+	return 0;
 }
 
 static int adiantum_encrypt(struct skcipher_request *req)
 {
 	return adiantum_crypt(req, true);
@@ -622,11 +587,12 @@ static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb)
 	ictx = skcipher_instance_ctx(inst);
 
 	/* Stream cipher, e.g. "xchacha12" */
 	err = crypto_grab_skcipher(&ictx->streamcipher_spawn,
 				   skcipher_crypto_instance(inst),
-				   crypto_attr_alg_name(tb[1]), 0, mask);
+				   crypto_attr_alg_name(tb[1]), 0,
+				   mask | CRYPTO_ALG_ASYNC /* sync only */);
 	if (err)
 		goto err_free_inst;
 	streamcipher_alg = crypto_spawn_skcipher_alg_common(&ictx->streamcipher_spawn);
 
 	/* Block cipher, e.g. "aes" */
-- 
2.52.0

[PATCH 10/12] crypto: nhpoly1305 - Remove crypto_shash support

[Eric Biggers]

Remove nhpoly1305 support from crypto_shash.  It no longer has any user
now that crypto/adiantum.c no longer uses it.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/Kconfig              |   6 -
 crypto/Makefile             |   1 -
 crypto/nhpoly1305.c         | 255 ------------------------------------
 include/crypto/nhpoly1305.h |  74 -----------
 4 files changed, 336 deletions(-)
 delete mode 100644 crypto/nhpoly1305.c
 delete mode 100644 include/crypto/nhpoly1305.h

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 89d1ccaa1fa0..12a87f7cf150 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -757,16 +757,10 @@ config CRYPTO_XTS
 
 	  Use with aes-xts-plain, key size 256, 384 or 512 bits. This
 	  implementation currently can't handle a sectorsize which is not a
 	  multiple of 16 bytes.
 
-config CRYPTO_NHPOLY1305
-	tristate
-	select CRYPTO_HASH
-	select CRYPTO_LIB_POLY1305
-	select CRYPTO_LIB_POLY1305_GENERIC
-
 endmenu
 
 menu "AEAD (authenticated encryption with associated data) ciphers"
 
 config CRYPTO_AEGIS128
diff --git a/crypto/Makefile b/crypto/Makefile
index 16a35649dd91..23d3db7be425 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -92,11 +92,10 @@ obj-$(CONFIG_CRYPTO_LRW) += lrw.o
 obj-$(CONFIG_CRYPTO_XTS) += xts.o
 obj-$(CONFIG_CRYPTO_CTR) += ctr.o
 obj-$(CONFIG_CRYPTO_XCTR) += xctr.o
 obj-$(CONFIG_CRYPTO_HCTR2) += hctr2.o
 obj-$(CONFIG_CRYPTO_ADIANTUM) += adiantum.o
-obj-$(CONFIG_CRYPTO_NHPOLY1305) += nhpoly1305.o
 obj-$(CONFIG_CRYPTO_GCM) += gcm.o
 obj-$(CONFIG_CRYPTO_CCM) += ccm.o
 obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o
 obj-$(CONFIG_CRYPTO_AEGIS128) += aegis128.o
 aegis128-y := aegis128-core.o
diff --git a/crypto/nhpoly1305.c b/crypto/nhpoly1305.c
deleted file mode 100644
index 2b648615b5ec..000000000000
--- a/crypto/nhpoly1305.c
+++ /dev/null
@@ -1,255 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum
- *
- * Copyright 2018 Google LLC
- */
-
-/*
- * "NHPoly1305" is the main component of Adiantum hashing.
- * Specifically, it is the calculation
- *
- *	H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L)))
- *
- * from the procedure in section 6.4 of the Adiantum paper [1].  It is an
- * ε-almost-∆-universal (ε-∆U) hash function for equal-length inputs over
- * Z/(2^{128}Z), where the "∆" operation is addition.  It hashes 1024-byte
- * chunks of the input with the NH hash function [2], reducing the input length
- * by 32x.  The resulting NH digests are evaluated as a polynomial in
- * GF(2^{130}-5), like in the Poly1305 MAC [3].  Note that the polynomial
- * evaluation by itself would suffice to achieve the ε-∆U property; NH is used
- * for performance since it's over twice as fast as Poly1305.
- *
- * This is *not* a cryptographic hash function; do not use it as such!
- *
- * [1] Adiantum: length-preserving encryption for entry-level processors
- *     (https://eprint.iacr.org/2018/720.pdf)
- * [2] UMAC: Fast and Secure Message Authentication
- *     (https://fastcrypto.org/umac/umac_proc.pdf)
- * [3] The Poly1305-AES message-authentication code
- *     (https://cr.yp.to/mac/poly1305-20050329.pdf)
- */
-
-#include <linux/unaligned.h>
-#include <crypto/algapi.h>
-#include <crypto/internal/hash.h>
-#include <crypto/internal/poly1305.h>
-#include <crypto/nhpoly1305.h>
-#include <linux/crypto.h>
-#include <linux/kernel.h>
-#include <linux/module.h>
-
-static void nh_generic(const u32 *key, const u8 *message, size_t message_len,
-		       __le64 hash[NH_NUM_PASSES])
-{
-	u64 sums[4] = { 0, 0, 0, 0 };
-
-	BUILD_BUG_ON(NH_PAIR_STRIDE != 2);
-	BUILD_BUG_ON(NH_NUM_PASSES != 4);
-
-	while (message_len) {
-		u32 m0 = get_unaligned_le32(message + 0);
-		u32 m1 = get_unaligned_le32(message + 4);
-		u32 m2 = get_unaligned_le32(message + 8);
-		u32 m3 = get_unaligned_le32(message + 12);
-
-		sums[0] += (u64)(u32)(m0 + key[ 0]) * (u32)(m2 + key[ 2]);
-		sums[1] += (u64)(u32)(m0 + key[ 4]) * (u32)(m2 + key[ 6]);
-		sums[2] += (u64)(u32)(m0 + key[ 8]) * (u32)(m2 + key[10]);
-		sums[3] += (u64)(u32)(m0 + key[12]) * (u32)(m2 + key[14]);
-		sums[0] += (u64)(u32)(m1 + key[ 1]) * (u32)(m3 + key[ 3]);
-		sums[1] += (u64)(u32)(m1 + key[ 5]) * (u32)(m3 + key[ 7]);
-		sums[2] += (u64)(u32)(m1 + key[ 9]) * (u32)(m3 + key[11]);
-		sums[3] += (u64)(u32)(m1 + key[13]) * (u32)(m3 + key[15]);
-		key += NH_MESSAGE_UNIT / sizeof(key[0]);
-		message += NH_MESSAGE_UNIT;
-		message_len -= NH_MESSAGE_UNIT;
-	}
-
-	hash[0] = cpu_to_le64(sums[0]);
-	hash[1] = cpu_to_le64(sums[1]);
-	hash[2] = cpu_to_le64(sums[2]);
-	hash[3] = cpu_to_le64(sums[3]);
-}
-
-/* Pass the next NH hash value through Poly1305 */
-static void process_nh_hash_value(struct nhpoly1305_state *state,
-				  const struct nhpoly1305_key *key)
-{
-	BUILD_BUG_ON(NH_HASH_BYTES % POLY1305_BLOCK_SIZE != 0);
-
-	poly1305_core_blocks(&state->poly_state, &key->poly_key, state->nh_hash,
-			     NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1);
-}
-
-/*
- * Feed the next portion of the source data, as a whole number of 16-byte
- * "NH message units", through NH and Poly1305.  Each NH hash is taken over
- * 1024 bytes, except possibly the final one which is taken over a multiple of
- * 16 bytes up to 1024.  Also, in the case where data is passed in misaligned
- * chunks, we combine partial hashes; the end result is the same either way.
- */
-static void nhpoly1305_units(struct nhpoly1305_state *state,
-			     const struct nhpoly1305_key *key,
-			     const u8 *src, unsigned int srclen, nh_t nh_fn)
-{
-	do {
-		unsigned int bytes;
-
-		if (state->nh_remaining == 0) {
-			/* Starting a new NH message */
-			bytes = min_t(unsigned int, srclen, NH_MESSAGE_BYTES);
-			nh_fn(key->nh_key, src, bytes, state->nh_hash);
-			state->nh_remaining = NH_MESSAGE_BYTES - bytes;
-		} else {
-			/* Continuing a previous NH message */
-			__le64 tmp_hash[NH_NUM_PASSES];
-			unsigned int pos;
-			int i;
-
-			pos = NH_MESSAGE_BYTES - state->nh_remaining;
-			bytes = min(srclen, state->nh_remaining);
-			nh_fn(&key->nh_key[pos / 4], src, bytes, tmp_hash);
-			for (i = 0; i < NH_NUM_PASSES; i++)
-				le64_add_cpu(&state->nh_hash[i],
-					     le64_to_cpu(tmp_hash[i]));
-			state->nh_remaining -= bytes;
-		}
-		if (state->nh_remaining == 0)
-			process_nh_hash_value(state, key);
-		src += bytes;
-		srclen -= bytes;
-	} while (srclen);
-}
-
-int crypto_nhpoly1305_setkey(struct crypto_shash *tfm,
-			     const u8 *key, unsigned int keylen)
-{
-	struct nhpoly1305_key *ctx = crypto_shash_ctx(tfm);
-	int i;
-
-	if (keylen != NHPOLY1305_KEY_SIZE)
-		return -EINVAL;
-
-	poly1305_core_setkey(&ctx->poly_key, key);
-	key += POLY1305_BLOCK_SIZE;
-
-	for (i = 0; i < NH_KEY_WORDS; i++)
-		ctx->nh_key[i] = get_unaligned_le32(key + i * sizeof(u32));
-
-	return 0;
-}
-EXPORT_SYMBOL(crypto_nhpoly1305_setkey);
-
-int crypto_nhpoly1305_init(struct shash_desc *desc)
-{
-	struct nhpoly1305_state *state = shash_desc_ctx(desc);
-
-	poly1305_core_init(&state->poly_state);
-	state->buflen = 0;
-	state->nh_remaining = 0;
-	return 0;
-}
-EXPORT_SYMBOL(crypto_nhpoly1305_init);
-
-int crypto_nhpoly1305_update_helper(struct shash_desc *desc,
-				    const u8 *src, unsigned int srclen,
-				    nh_t nh_fn)
-{
-	struct nhpoly1305_state *state = shash_desc_ctx(desc);
-	const struct nhpoly1305_key *key = crypto_shash_ctx(desc->tfm);
-	unsigned int bytes;
-
-	if (state->buflen) {
-		bytes = min(srclen, (int)NH_MESSAGE_UNIT - state->buflen);
-		memcpy(&state->buffer[state->buflen], src, bytes);
-		state->buflen += bytes;
-		if (state->buflen < NH_MESSAGE_UNIT)
-			return 0;
-		nhpoly1305_units(state, key, state->buffer, NH_MESSAGE_UNIT,
-				 nh_fn);
-		state->buflen = 0;
-		src += bytes;
-		srclen -= bytes;
-	}
-
-	if (srclen >= NH_MESSAGE_UNIT) {
-		bytes = round_down(srclen, NH_MESSAGE_UNIT);
-		nhpoly1305_units(state, key, src, bytes, nh_fn);
-		src += bytes;
-		srclen -= bytes;
-	}
-
-	if (srclen) {
-		memcpy(state->buffer, src, srclen);
-		state->buflen = srclen;
-	}
-	return 0;
-}
-EXPORT_SYMBOL(crypto_nhpoly1305_update_helper);
-
-int crypto_nhpoly1305_update(struct shash_desc *desc,
-			     const u8 *src, unsigned int srclen)
-{
-	return crypto_nhpoly1305_update_helper(desc, src, srclen, nh_generic);
-}
-EXPORT_SYMBOL(crypto_nhpoly1305_update);
-
-int crypto_nhpoly1305_final_helper(struct shash_desc *desc, u8 *dst, nh_t nh_fn)
-{
-	struct nhpoly1305_state *state = shash_desc_ctx(desc);
-	const struct nhpoly1305_key *key = crypto_shash_ctx(desc->tfm);
-
-	if (state->buflen) {
-		memset(&state->buffer[state->buflen], 0,
-		       NH_MESSAGE_UNIT - state->buflen);
-		nhpoly1305_units(state, key, state->buffer, NH_MESSAGE_UNIT,
-				 nh_fn);
-	}
-
-	if (state->nh_remaining)
-		process_nh_hash_value(state, key);
-
-	poly1305_core_emit(&state->poly_state, NULL, dst);
-	return 0;
-}
-EXPORT_SYMBOL(crypto_nhpoly1305_final_helper);
-
-int crypto_nhpoly1305_final(struct shash_desc *desc, u8 *dst)
-{
-	return crypto_nhpoly1305_final_helper(desc, dst, nh_generic);
-}
-EXPORT_SYMBOL(crypto_nhpoly1305_final);
-
-static struct shash_alg nhpoly1305_alg = {
-	.base.cra_name		= "nhpoly1305",
-	.base.cra_driver_name	= "nhpoly1305-generic",
-	.base.cra_priority	= 100,
-	.base.cra_ctxsize	= sizeof(struct nhpoly1305_key),
-	.base.cra_module	= THIS_MODULE,
-	.digestsize		= POLY1305_DIGEST_SIZE,
-	.init			= crypto_nhpoly1305_init,
-	.update			= crypto_nhpoly1305_update,
-	.final			= crypto_nhpoly1305_final,
-	.setkey			= crypto_nhpoly1305_setkey,
-	.descsize		= sizeof(struct nhpoly1305_state),
-};
-
-static int __init nhpoly1305_mod_init(void)
-{
-	return crypto_register_shash(&nhpoly1305_alg);
-}
-
-static void __exit nhpoly1305_mod_exit(void)
-{
-	crypto_unregister_shash(&nhpoly1305_alg);
-}
-
-module_init(nhpoly1305_mod_init);
-module_exit(nhpoly1305_mod_exit);
-
-MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function");
-MODULE_LICENSE("GPL v2");
-MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");
-MODULE_ALIAS_CRYPTO("nhpoly1305");
-MODULE_ALIAS_CRYPTO("nhpoly1305-generic");
diff --git a/include/crypto/nhpoly1305.h b/include/crypto/nhpoly1305.h
deleted file mode 100644
index 306925fea190..000000000000
--- a/include/crypto/nhpoly1305.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-/*
- * Common values and helper functions for the NHPoly1305 hash function.
- */
-
-#ifndef _NHPOLY1305_H
-#define _NHPOLY1305_H
-
-#include <crypto/hash.h>
-#include <crypto/internal/poly1305.h>
-
-/* NH parameterization: */
-
-/* Endianness: little */
-/* Word size: 32 bits (works well on NEON, SSE2, AVX2) */
-
-/* Stride: 2 words (optimal on ARM32 NEON; works okay on other CPUs too) */
-#define NH_PAIR_STRIDE		2
-#define NH_MESSAGE_UNIT		(NH_PAIR_STRIDE * 2 * sizeof(u32))
-
-/* Num passes (Toeplitz iteration count): 4, to give ε = 2^{-128} */
-#define NH_NUM_PASSES		4
-#define NH_HASH_BYTES		(NH_NUM_PASSES * sizeof(u64))
-
-/* Max message size: 1024 bytes (32x compression factor) */
-#define NH_NUM_STRIDES		64
-#define NH_MESSAGE_WORDS	(NH_PAIR_STRIDE * 2 * NH_NUM_STRIDES)
-#define NH_MESSAGE_BYTES	(NH_MESSAGE_WORDS * sizeof(u32))
-#define NH_KEY_WORDS		(NH_MESSAGE_WORDS + \
-				 NH_PAIR_STRIDE * 2 * (NH_NUM_PASSES - 1))
-#define NH_KEY_BYTES		(NH_KEY_WORDS * sizeof(u32))
-
-#define NHPOLY1305_KEY_SIZE	(POLY1305_BLOCK_SIZE + NH_KEY_BYTES)
-
-struct nhpoly1305_key {
-	struct poly1305_core_key poly_key;
-	u32 nh_key[NH_KEY_WORDS];
-};
-
-struct nhpoly1305_state {
-
-	/* Running total of polynomial evaluation */
-	struct poly1305_state poly_state;
-
-	/* Partial block buffer */
-	u8 buffer[NH_MESSAGE_UNIT];
-	unsigned int buflen;
-
-	/*
-	 * Number of bytes remaining until the current NH message reaches
-	 * NH_MESSAGE_BYTES.  When nonzero, 'nh_hash' holds the partial NH hash.
-	 */
-	unsigned int nh_remaining;
-
-	__le64 nh_hash[NH_NUM_PASSES];
-};
-
-typedef void (*nh_t)(const u32 *key, const u8 *message, size_t message_len,
-		     __le64 hash[NH_NUM_PASSES]);
-
-int crypto_nhpoly1305_setkey(struct crypto_shash *tfm,
-			     const u8 *key, unsigned int keylen);
-
-int crypto_nhpoly1305_init(struct shash_desc *desc);
-int crypto_nhpoly1305_update(struct shash_desc *desc,
-			     const u8 *src, unsigned int srclen);
-int crypto_nhpoly1305_update_helper(struct shash_desc *desc,
-				    const u8 *src, unsigned int srclen,
-				    nh_t nh_fn);
-int crypto_nhpoly1305_final(struct shash_desc *desc, u8 *dst);
-int crypto_nhpoly1305_final_helper(struct shash_desc *desc, u8 *dst,
-				   nh_t nh_fn);
-
-#endif /* _NHPOLY1305_H */
-- 
2.52.0

Re: [PATCH 10/12] crypto: nhpoly1305 - Remove crypto_shash support

[Herbert Xu]

On Wed, Dec 10, 2025 at 05:18:42PM -0800, Eric Biggers wrote:
> Remove nhpoly1305 support from crypto_shash.  It no longer has any user
> now that crypto/adiantum.c no longer uses it.
> 
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
>  crypto/Kconfig              |   6 -
>  crypto/Makefile             |   1 -
>  crypto/nhpoly1305.c         | 255 ------------------------------------
>  include/crypto/nhpoly1305.h |  74 -----------
>  4 files changed, 336 deletions(-)
>  delete mode 100644 crypto/nhpoly1305.c
>  delete mode 100644 include/crypto/nhpoly1305.h

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH 11/12] crypto: testmgr - Remove nhpoly1305 tests

[Eric Biggers]

These are no longer used, since nhpoly1305 support has been removed from
the crypto_shash API.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 crypto/testmgr.c |    6 -
 crypto/testmgr.h | 1372 ----------------------------------------------
 2 files changed, 1378 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index d9fc671d5941..5df204d9c9dd 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5170,16 +5170,10 @@ static const struct alg_test_desc alg_test_descs[] = {
 		.alg = "michael_mic",
 		.test = alg_test_hash,
 		.suite = {
 			.hash = __VECS(michael_mic_tv_template)
 		}
-	}, {
-		.alg = "nhpoly1305",
-		.test = alg_test_hash,
-		.suite = {
-			.hash = __VECS(nhpoly1305_tv_template)
-		}
 	}, {
 		.alg = "p1363(ecdsa-nist-p192)",
 		.test = alg_test_null,
 	}, {
 		.alg = "p1363(ecdsa-nist-p256)",
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 80bf5f1b67a6..1a3329e1c325 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -7597,1382 +7597,10 @@ static const struct hash_testvec hmac_sha3_512_tv_template[] = {
 			  "\xd1\xb9\x78\x9f\x97\xae\x5b\x83"
 			  "\xc6\xf4\x4d\xfc\xf1\xd6\x7e\xba",
 	},
 };
 
-/* NHPoly1305 test vectors from https://github.com/google/adiantum */
-static const struct hash_testvec nhpoly1305_tv_template[] = {
-	{
-		.key	= "\xd2\x5d\x4c\xdd\x8d\x2b\x7f\x7a"
-			  "\xd9\xbe\x71\xec\xd1\x83\x52\xe3"
-			  "\xe1\xad\xd7\x5c\x0a\x75\x9d\xec"
-			  "\x1d\x13\x7e\x5d\x71\x07\xc9\xe4"
-			  "\x57\x2d\x44\x68\xcf\xd8\xd6\xc5"
-			  "\x39\x69\x7d\x32\x75\x51\x4f\x7e"
-			  "\xb2\x4c\xc6\x90\x51\x6e\xd9\xd6"
-			  "\xa5\x8b\x2d\xf1\x94\xf9\xf7\x5e"
-			  "\x2c\x84\x7b\x41\x0f\x88\x50\x89"
-			  "\x30\xd9\xa1\x38\x46\x6c\xc0\x4f"
-			  "\xe8\xdf\xdc\x66\xab\x24\x43\x41"
-			  "\x91\x55\x29\x65\x86\x28\x5e\x45"
-			  "\xd5\x2d\xb7\x80\x08\x9a\xc3\xd4"
-			  "\x9a\x77\x0a\xd4\xef\x3e\xe6\x3f"
-			  "\x6f\x2f\x9b\x3a\x7d\x12\x1e\x80"
-			  "\x6c\x44\xa2\x25\xe1\xf6\x60\xe9"
-			  "\x0d\xaf\xc5\x3c\xa5\x79\xae\x64"
-			  "\xbc\xa0\x39\xa3\x4d\x10\xe5\x4d"
-			  "\xd5\xe7\x89\x7a\x13\xee\x06\x78"
-			  "\xdc\xa4\xdc\x14\x27\xe6\x49\x38"
-			  "\xd0\xe0\x45\x25\x36\xc5\xf4\x79"
-			  "\x2e\x9a\x98\x04\xe4\x2b\x46\x52"
-			  "\x7c\x33\xca\xe2\x56\x51\x50\xe2"
-			  "\xa5\x9a\xae\x18\x6a\x13\xf8\xd2"
-			  "\x21\x31\x66\x02\xe2\xda\x8d\x7e"
-			  "\x41\x19\xb2\x61\xee\x48\x8f\xf1"
-			  "\x65\x24\x2e\x1e\x68\xce\x05\xd9"
-			  "\x2a\xcf\xa5\x3a\x57\xdd\x35\x91"
-			  "\x93\x01\xca\x95\xfc\x2b\x36\x04"
-			  "\xe6\x96\x97\x28\xf6\x31\xfe\xa3"
-			  "\x9d\xf6\x6a\x1e\x80\x8d\xdc\xec"
-			  "\xaf\x66\x11\x13\x02\x88\xd5\x27"
-			  "\x33\xb4\x1a\xcd\xa3\xf6\xde\x31"
-			  "\x8e\xc0\x0e\x6c\xd8\x5a\x97\x5e"
-			  "\xdd\xfd\x60\x69\x38\x46\x3f\x90"
-			  "\x5e\x97\xd3\x32\x76\xc7\x82\x49"
-			  "\xfe\xba\x06\x5f\x2f\xa2\xfd\xff"
-			  "\x80\x05\x40\xe4\x33\x03\xfb\x10"
-			  "\xc0\xde\x65\x8c\xc9\x8d\x3a\x9d"
-			  "\xb5\x7b\x36\x4b\xb5\x0c\xcf\x00"
-			  "\x9c\x87\xe4\x49\xad\x90\xda\x4a"
-			  "\xdd\xbd\xff\xe2\x32\x57\xd6\x78"
-			  "\x36\x39\x6c\xd3\x5b\x9b\x88\x59"
-			  "\x2d\xf0\x46\xe4\x13\x0e\x2b\x35"
-			  "\x0d\x0f\x73\x8a\x4f\x26\x84\x75"
-			  "\x88\x3c\xc5\x58\x66\x18\x1a\xb4"
-			  "\x64\x51\x34\x27\x1b\xa4\x11\xc9"
-			  "\x6d\x91\x8a\xfa\x32\x60\x9d\xd7"
-			  "\x87\xe5\xaa\x43\x72\xf8\xda\xd1"
-			  "\x48\x44\x13\x61\xdc\x8c\x76\x17"
-			  "\x0c\x85\x4e\xf3\xdd\xa2\x42\xd2"
-			  "\x74\xc1\x30\x1b\xeb\x35\x31\x29"
-			  "\x5b\xd7\x4c\x94\x46\x35\xa1\x23"
-			  "\x50\xf2\xa2\x8e\x7e\x4f\x23\x4f"
-			  "\x51\xff\xe2\xc9\xa3\x7d\x56\x8b"
-			  "\x41\xf2\xd0\xc5\x57\x7e\x59\xac"
-			  "\xbb\x65\xf3\xfe\xf7\x17\xef\x63"
-			  "\x7c\x6f\x23\xdd\x22\x8e\xed\x84"
-			  "\x0e\x3b\x09\xb3\xf3\xf4\x8f\xcd"
-			  "\x37\xa8\xe1\xa7\x30\xdb\xb1\xa2"
-			  "\x9c\xa2\xdf\x34\x17\x3e\x68\x44"
-			  "\xd0\xde\x03\x50\xd1\x48\x6b\x20"
-			  "\xe2\x63\x45\xa5\xea\x87\xc2\x42"
-			  "\x95\x03\x49\x05\xed\xe0\x90\x29"
-			  "\x1a\xb8\xcf\x9b\x43\xcf\x29\x7a"
-			  "\x63\x17\x41\x9f\xe0\xc9\x10\xfd"
-			  "\x2c\x56\x8c\x08\x55\xb4\xa9\x27"
-			  "\x0f\x23\xb1\x05\x6a\x12\x46\xc7"
-			  "\xe1\xfe\x28\x93\x93\xd7\x2f\xdc"
-			  "\x98\x30\xdb\x75\x8a\xbe\x97\x7a"
-			  "\x02\xfb\x8c\xba\xbe\x25\x09\xbe"
-			  "\xce\xcb\xa2\xef\x79\x4d\x0e\x9d"
-			  "\x1b\x9d\xb6\x39\x34\x38\xfa\x07"
-			  "\xec\xe8\xfc\x32\x85\x1d\xf7\x85"
-			  "\x63\xc3\x3c\xc0\x02\x75\xd7\x3f"
-			  "\xb2\x68\x60\x66\x65\x81\xc6\xb1"
-			  "\x42\x65\x4b\x4b\x28\xd7\xc7\xaa"
-			  "\x9b\xd2\xdc\x1b\x01\xe0\x26\x39"
-			  "\x01\xc1\x52\x14\xd1\x3f\xb7\xe6"
-			  "\x61\x41\xc7\x93\xd2\xa2\x67\xc6"
-			  "\xf7\x11\xb5\xf5\xea\xdd\x19\xfb"
-			  "\x4d\x21\x12\xd6\x7d\xf1\x10\xb0"
-			  "\x89\x07\xc7\x5a\x52\x73\x70\x2f"
-			  "\x32\xef\x65\x2b\x12\xb2\xf0\xf5"
-			  "\x20\xe0\x90\x59\x7e\x64\xf1\x4c"
-			  "\x41\xb3\xa5\x91\x08\xe6\x5e\x5f"
-			  "\x05\x56\x76\xb4\xb0\xcd\x70\x53"
-			  "\x10\x48\x9c\xff\xc2\x69\x55\x24"
-			  "\x87\xef\x84\xea\xfb\xa7\xbf\xa0"
-			  "\x91\x04\xad\x4f\x8b\x57\x54\x4b"
-			  "\xb6\xe9\xd1\xac\x37\x2f\x1d\x2e"
-			  "\xab\xa5\xa4\xe8\xff\xfb\xd9\x39"
-			  "\x2f\xb7\xac\xd1\xfe\x0b\x9a\x80"
-			  "\x0f\xb6\xf4\x36\x39\x90\x51\xe3"
-			  "\x0a\x2f\xb6\x45\x76\x89\xcd\x61"
-			  "\xfe\x48\x5f\x75\x1d\x13\x00\x62"
-			  "\x80\x24\x47\xe7\xbc\x37\xd7\xe3"
-			  "\x15\xe8\x68\x22\xaf\x80\x6f\x4b"
-			  "\xa8\x9f\x01\x10\x48\x14\xc3\x02"
-			  "\x52\xd2\xc7\x75\x9b\x52\x6d\x30"
-			  "\xac\x13\x85\xc8\xf7\xa3\x58\x4b"
-			  "\x49\xf7\x1c\x45\x55\x8c\x39\x9a"
-			  "\x99\x6d\x97\x27\x27\xe6\xab\xdd"
-			  "\x2c\x42\x1b\x35\xdd\x9d\x73\xbb"
-			  "\x6c\xf3\x64\xf1\xfb\xb9\xf7\xe6"
-			  "\x4a\x3c\xc0\x92\xc0\x2e\xb7\x1a"
-			  "\xbe\xab\xb3\x5a\xe5\xea\xb1\x48"
-			  "\x58\x13\x53\x90\xfd\xc3\x8e\x54"
-			  "\xf9\x18\x16\x73\xe8\xcb\x6d\x39"
-			  "\x0e\xd7\xe0\xfe\xb6\x9f\x43\x97"
-			  "\xe8\xd0\x85\x56\x83\x3e\x98\x68"
-			  "\x7f\xbd\x95\xa8\x9a\x61\x21\x8f"
-			  "\x06\x98\x34\xa6\xc8\xd6\x1d\xf3"
-			  "\x3d\x43\xa4\x9a\x8c\xe5\xd3\x5a"
-			  "\x32\xa2\x04\x22\xa4\x19\x1a\x46"
-			  "\x42\x7e\x4d\xe5\xe0\xe6\x0e\xca"
-			  "\xd5\x58\x9d\x2c\xaf\xda\x33\x5c"
-			  "\xb0\x79\x9e\xc9\xfc\xca\xf0\x2f"
-			  "\xa8\xb2\x77\xeb\x7a\xa2\xdd\x37"
-			  "\x35\x83\x07\xd6\x02\x1a\xb6\x6c"
-			  "\x24\xe2\x59\x08\x0e\xfd\x3e\x46"
-			  "\xec\x40\x93\xf4\x00\x26\x4f\x2a"
-			  "\xff\x47\x2f\xeb\x02\x92\x26\x5b"
-			  "\x53\x17\xc2\x8d\x2a\xc7\xa3\x1b"
-			  "\xcd\xbc\xa7\xe8\xd1\x76\xe3\x80"
-			  "\x21\xca\x5d\x3b\xe4\x9c\x8f\xa9"
-			  "\x5b\x7f\x29\x7f\x7c\xd8\xed\x6d"
-			  "\x8c\xb2\x86\x85\xe7\x77\xf2\x85"
-			  "\xab\x38\xa9\x9d\xc1\x4e\xc5\x64"
-			  "\x33\x73\x8b\x59\x03\xad\x05\xdf"
-			  "\x25\x98\x31\xde\xef\x13\xf1\x9b"
-			  "\x3c\x91\x9d\x7b\xb1\xfa\xe6\xbf"
-			  "\x5b\xed\xa5\x55\xe6\xea\x6c\x74"
-			  "\xf4\xb9\xe4\x45\x64\x72\x81\xc2"
-			  "\x4c\x28\xd4\xcd\xac\xe2\xde\xf9"
-			  "\xeb\x5c\xeb\x61\x60\x5a\xe5\x28",
-		.ksize	= 1088,
-		.plaintext	= "",
-		.psize	= 0,
-		.digest	= "\x00\x00\x00\x00\x00\x00\x00\x00"
-			  "\x00\x00\x00\x00\x00\x00\x00\x00",
-	}, {
-		.key	= "\x29\x21\x43\xcb\xcb\x13\x07\xde"
-			  "\xbf\x48\xdf\x8a\x7f\xa2\x84\xde"
-			  "\x72\x23\x9d\xf5\xf0\x07\xf2\x4c"
-			  "\x20\x3a\x93\xb9\xcd\x5d\xfe\xcb"
-			  "\x99\x2c\x2b\x58\xc6\x50\x5f\x94"
-			  "\x56\xc3\x7c\x0d\x02\x3f\xb8\x5e"
-			  "\x7b\xc0\x6c\x51\x34\x76\xc0\x0e"
-			  "\xc6\x22\xc8\x9e\x92\xa0\x21\xc9"
-			  "\x85\x5c\x7c\xf8\xe2\x64\x47\xc9"
-			  "\xe4\xa2\x57\x93\xf8\xa2\x69\xcd"
-			  "\x62\x98\x99\xf4\xd7\x7b\x14\xb1"
-			  "\xd8\x05\xff\x04\x15\xc9\xe1\x6e"
-			  "\x9b\xe6\x50\x6b\x0b\x3f\x22\x1f"
-			  "\x08\xde\x0c\x5b\x08\x7e\xc6\x2f"
-			  "\x6c\xed\xd6\xb2\x15\xa4\xb3\xf9"
-			  "\xa7\x46\x38\x2a\xea\x69\xa5\xde"
-			  "\x02\xc3\x96\x89\x4d\x55\x3b\xed"
-			  "\x3d\x3a\x85\x77\xbf\x97\x45\x5c"
-			  "\x9e\x02\x69\xe2\x1b\x68\xbe\x96"
-			  "\xfb\x64\x6f\x0f\xf6\x06\x40\x67"
-			  "\xfa\x04\xe3\x55\xfa\xbe\xa4\x60"
-			  "\xef\x21\x66\x97\xe6\x9d\x5c\x1f"
-			  "\x62\x37\xaa\x31\xde\xe4\x9c\x28"
-			  "\x95\xe0\x22\x86\xf4\x4d\xf3\x07"
-			  "\xfd\x5f\x3a\x54\x2c\x51\x80\x71"
-			  "\xba\x78\x69\x5b\x65\xab\x1f\x81"
-			  "\xed\x3b\xff\x34\xa3\xfb\xbc\x73"
-			  "\x66\x7d\x13\x7f\xdf\x6e\xe2\xe2"
-			  "\xeb\x4f\x6c\xda\x7d\x33\x57\xd0"
-			  "\xd3\x7c\x95\x4f\x33\x58\x21\xc7"
-			  "\xc0\xe5\x6f\x42\x26\xc6\x1f\x5e"
-			  "\x85\x1b\x98\x9a\xa2\x1e\x55\x77"
-			  "\x23\xdf\x81\x5e\x79\x55\x05\xfc"
-			  "\xfb\xda\xee\xba\x5a\xba\xf7\x77"
-			  "\x7f\x0e\xd3\xe1\x37\xfe\x8d\x2b"
-			  "\xd5\x3f\xfb\xd0\xc0\x3c\x0b\x3f"
-			  "\xcf\x3c\x14\xcf\xfb\x46\x72\x4c"
-			  "\x1f\x39\xe2\xda\x03\x71\x6d\x23"
-			  "\xef\x93\xcd\x39\xd9\x37\x80\x4d"
-			  "\x65\x61\xd1\x2c\x03\xa9\x47\x72"
-			  "\x4d\x1e\x0e\x16\x33\x0f\x21\x17"
-			  "\xec\x92\xea\x6f\x37\x22\xa4\xd8"
-			  "\x03\x33\x9e\xd8\x03\x69\x9a\xe8"
-			  "\xb2\x57\xaf\x78\x99\x05\x12\xab"
-			  "\x48\x90\x80\xf0\x12\x9b\x20\x64"
-			  "\x7a\x1d\x47\x5f\xba\x3c\xf9\xc3"
-			  "\x0a\x0d\x8d\xa1\xf9\x1b\x82\x13"
-			  "\x3e\x0d\xec\x0a\x83\xc0\x65\xe1"
-			  "\xe9\x95\xff\x97\xd6\xf2\xe4\xd5"
-			  "\x86\xc0\x1f\x29\x27\x63\xd7\xde"
-			  "\xb7\x0a\x07\x99\x04\x2d\xa3\x89"
-			  "\xa2\x43\xcf\xf3\xe1\x43\xac\x4a"
-			  "\x06\x97\xd0\x05\x4f\x87\xfa\xf9"
-			  "\x9b\xbf\x52\x70\xbd\xbc\x6c\xf3"
-			  "\x03\x13\x60\x41\x28\x09\xec\xcc"
-			  "\xb1\x1a\xec\xd6\xfb\x6f\x2a\x89"
-			  "\x5d\x0b\x53\x9c\x59\xc1\x84\x21"
-			  "\x33\x51\x47\x19\x31\x9c\xd4\x0a"
-			  "\x4d\x04\xec\x50\x90\x61\xbd\xbc"
-			  "\x7e\xc8\xd9\x6c\x98\x1d\x45\x41"
-			  "\x17\x5e\x97\x1c\xc5\xa8\xe8\xea"
-			  "\x46\x58\x53\xf7\x17\xd5\xad\x11"
-			  "\xc8\x54\xf5\x7a\x33\x90\xf5\x19"
-			  "\xba\x36\xb4\xfc\x52\xa5\x72\x3d"
-			  "\x14\xbb\x55\xa7\xe9\xe3\x12\xf7"
-			  "\x1c\x30\xa2\x82\x03\xbf\x53\x91"
-			  "\x2e\x60\x41\x9f\x5b\x69\x39\xf6"
-			  "\x4d\xc8\xf8\x46\x7a\x7f\xa4\x98"
-			  "\x36\xff\x06\xcb\xca\xe7\x33\xf2"
-			  "\xc0\x4a\xf4\x3c\x14\x44\x5f\x6b"
-			  "\x75\xef\x02\x36\x75\x08\x14\xfd"
-			  "\x10\x8e\xa5\x58\xd0\x30\x46\x49"
-			  "\xaf\x3a\xf8\x40\x3d\x35\xdb\x84"
-			  "\x11\x2e\x97\x6a\xb7\x87\x7f\xad"
-			  "\xf1\xfa\xa5\x63\x60\xd8\x5e\xbf"
-			  "\x41\x78\x49\xcf\x77\xbb\x56\xbb"
-			  "\x7d\x01\x67\x05\x22\xc8\x8f\x41"
-			  "\xba\x81\xd2\xca\x2c\x38\xac\x76"
-			  "\x06\xc1\x1a\xc2\xce\xac\x90\x67"
-			  "\x57\x3e\x20\x12\x5b\xd9\x97\x58"
-			  "\x65\x05\xb7\x04\x61\x7e\xd8\x3a"
-			  "\xbf\x55\x3b\x13\xe9\x34\x5a\x37"
-			  "\x36\xcb\x94\x45\xc5\x32\xb3\xa0"
-			  "\x0c\x3e\x49\xc5\xd3\xed\xa7\xf0"
-			  "\x1c\x69\xcc\xea\xcc\x83\xc9\x16"
-			  "\x95\x72\x4b\xf4\x89\xd5\xb9\x10"
-			  "\xf6\x2d\x60\x15\xea\x3c\x06\x66"
-			  "\x9f\x82\xad\x17\xce\xd2\xa4\x48"
-			  "\x7c\x65\xd9\xf8\x02\x4d\x9b\x4c"
-			  "\x89\x06\x3a\x34\x85\x48\x89\x86"
-			  "\xf9\x24\xa9\x54\x72\xdb\x44\x95"
-			  "\xc7\x44\x1c\x19\x11\x4c\x04\xdc"
-			  "\x13\xb9\x67\xc8\xc3\x3a\x6a\x50"
-			  "\xfa\xd1\xfb\xe1\x88\xb6\xf1\xa3"
-			  "\xc5\x3b\xdc\x38\x45\x16\x26\x02"
-			  "\x3b\xb8\x8f\x8b\x58\x7d\x23\x04"
-			  "\x50\x6b\x81\x9f\xae\x66\xac\x6f"
-			  "\xcf\x2a\x9d\xf1\xfd\x1d\x57\x07"
-			  "\xbe\x58\xeb\x77\x0c\xe3\xc2\x19"
-			  "\x14\x74\x1b\x51\x1c\x4f\x41\xf3"
-			  "\x32\x89\xb3\xe7\xde\x62\xf6\x5f"
-			  "\xc7\x6a\x4a\x2a\x5b\x0f\x5f\x87"
-			  "\x9c\x08\xb9\x02\x88\xc8\x29\xb7"
-			  "\x94\x52\xfa\x52\xfe\xaa\x50\x10"
-			  "\xba\x48\x75\x5e\x11\x1b\xe6\x39"
-			  "\xd7\x82\x2c\x87\xf1\x1e\xa4\x38"
-			  "\x72\x3e\x51\xe7\xd8\x3e\x5b\x7b"
-			  "\x31\x16\x89\xba\xd6\xad\x18\x5e"
-			  "\xba\xf8\x12\xb3\xf4\x6c\x47\x30"
-			  "\xc0\x38\x58\xb3\x10\x8d\x58\x5d"
-			  "\xb4\xfb\x19\x7e\x41\xc3\x66\xb8"
-			  "\xd6\x72\x84\xe1\x1a\xc2\x71\x4c"
-			  "\x0d\x4a\x21\x7a\xab\xa2\xc0\x36"
-			  "\x15\xc5\xe9\x46\xd7\x29\x17\x76"
-			  "\x5e\x47\x36\x7f\x72\x05\xa7\xcc"
-			  "\x36\x63\xf9\x47\x7d\xe6\x07\x3c"
-			  "\x8b\x79\x1d\x96\x61\x8d\x90\x65"
-			  "\x7c\xf5\xeb\x4e\x6e\x09\x59\x6d"
-			  "\x62\x50\x1b\x0f\xe0\xdc\x78\xf2"
-			  "\x5b\x83\x1a\xa1\x11\x75\xfd\x18"
-			  "\xd7\xe2\x8d\x65\x14\x21\xce\xbe"
-			  "\xb5\x87\xe3\x0a\xda\x24\x0a\x64"
-			  "\xa9\x9f\x03\x8d\x46\x5d\x24\x1a"
-			  "\x8a\x0c\x42\x01\xca\xb1\x5f\x7c"
-			  "\xa5\xac\x32\x4a\xb8\x07\x91\x18"
-			  "\x6f\xb0\x71\x3c\xc9\xb1\xa8\xf8"
-			  "\x5f\x69\xa5\xa1\xca\x9e\x7a\xaa"
-			  "\xac\xe9\xc7\x47\x41\x75\x25\xc3"
-			  "\x73\xe2\x0b\xdd\x6d\x52\x71\xbe"
-			  "\xc5\xdc\xb4\xe7\x01\x26\x53\x77"
-			  "\x86\x90\x85\x68\x6b\x7b\x03\x53"
-			  "\xda\x52\x52\x51\x68\xc8\xf3\xec"
-			  "\x6c\xd5\x03\x7a\xa3\x0e\xb4\x02"
-			  "\x5f\x1a\xab\xee\xca\x67\x29\x7b"
-			  "\xbd\x96\x59\xb3\x8b\x32\x7a\x92"
-			  "\x9f\xd8\x25\x2b\xdf\xc0\x4c\xda",
-		.ksize	= 1088,
-		.plaintext	= "\xbc\xda\x81\xa8\x78\x79\x1c\xbf"
-			  "\x77\x53\xba\x4c\x30\x5b\xb8\x33",
-		.psize	= 16,
-		.digest	= "\x04\xbf\x7f\x6a\xce\x72\xea\x6a"
-			  "\x79\xdb\xb0\xc9\x60\xf6\x12\xcc",
-	}, {
-		.key	= "\x2e\x77\x1e\x2c\x63\x76\x34\x3f"
-			  "\x71\x08\x4f\x5a\xe3\x3d\x74\x56"
-			  "\xc7\x98\x46\x52\xe5\x8a\xba\x0d"
-			  "\x72\x41\x11\x15\x14\x72\x50\x8a"
-			  "\xd5\xec\x60\x09\xdd\x71\xcc\xb9"
-			  "\x59\x81\x65\x2d\x9e\x50\x18\xf3"
-			  "\x32\xf3\xf1\xe7\x01\x82\x1c\xad"
-			  "\x88\xa0\x21\x0c\x4b\x80\x5e\x62"
-			  "\xfc\x81\xec\x52\xaa\xe4\xa5\x86"
-			  "\xc2\xe6\x03\x11\xdc\x66\x09\x86"
-			  "\x3c\x3b\xf0\x59\x0f\xb3\xf7\x44"
-			  "\x24\xb7\x88\xc5\xfc\xc8\x77\x9f"
-			  "\x8c\x44\xc4\x11\x55\xce\x7a\xa3"
-			  "\xe0\xa2\xb8\xbf\xb5\x3d\x07\x2c"
-			  "\x32\xb6\x6c\xfc\xb4\x42\x95\x95"
-			  "\x98\x32\x81\xc4\xe7\xe2\xd9\x6a"
-			  "\x87\xf4\xf4\x1e\x74\x7c\xb5\xcd"
-			  "\x51\x45\x68\x38\x51\xdb\x30\x74"
-			  "\x11\xe0\xaa\xae\x19\x8f\x15\x55"
-			  "\xdd\x47\x4a\x35\xb9\x0c\xb4\x4e"
-			  "\xa9\xce\x2f\xfa\x8f\xc1\x8a\x5e"
-			  "\x5b\xec\xa5\x81\x3b\xb3\x43\x06"
-			  "\x24\x81\xf4\x24\xe2\x21\xfa\xcb"
-			  "\x49\xa8\xf8\xbd\x31\x4a\x5b\x2d"
-			  "\x64\x0a\x07\xf0\x80\xc9\x0d\x81"
-			  "\x14\x58\x54\x2b\xba\x22\x31\xba"
-			  "\xef\x66\xc9\x49\x69\x69\x83\x0d"
-			  "\xf2\xf9\x80\x9d\x30\x36\xfb\xe3"
-			  "\xc0\x72\x2b\xcc\x5a\x81\x2c\x5d"
-			  "\x3b\x5e\xf8\x2b\xd3\x14\x28\x73"
-			  "\xf9\x1c\x70\xe6\xd8\xbb\xac\x30"
-			  "\xf9\xd9\xa0\xe2\x33\x7c\x33\x34"
-			  "\xa5\x6a\x77\x6d\xd5\xaf\xf4\xf3"
-			  "\xc7\xb3\x0e\x83\x3d\xcb\x01\xcc"
-			  "\x81\xc0\xf9\x4a\xae\x36\x92\xf7"
-			  "\x69\x7b\x65\x01\xc3\xc8\xb8\xae"
-			  "\x16\xd8\x30\xbb\xba\x6d\x78\x6e"
-			  "\x0d\xf0\x7d\x84\xb7\x87\xda\x28"
-			  "\x7a\x18\x10\x0b\x29\xec\x29\xf3"
-			  "\xb0\x7b\xa1\x28\xbf\xbc\x2b\x2c"
-			  "\x92\x2c\x16\xfb\x02\x39\xf9\xa6"
-			  "\xa2\x15\x05\xa6\x72\x10\xbc\x62"
-			  "\x4a\x6e\xb8\xb5\x5d\x59\xae\x3c"
-			  "\x32\xd3\x68\xd7\x8e\x5a\xcd\x1b"
-			  "\xef\xf6\xa7\x5e\x10\x51\x15\x4b"
-			  "\x2c\xe3\xba\x70\x4f\x2c\xa0\x1c"
-			  "\x7b\x97\xd7\xb2\xa5\x05\x17\xcc"
-			  "\xf7\x3a\x29\x6f\xd5\x4b\xb8\x24"
-			  "\xf4\x65\x95\x12\xc0\x86\xd1\x64"
-			  "\x81\xdf\x46\x55\x0d\x22\x06\x77"
-			  "\xd8\xca\x8d\xc8\x87\xc3\xfa\xb9"
-			  "\xe1\x98\x94\xe6\x7b\xed\x65\x66"
-			  "\x0e\xc7\x25\x15\xee\x4a\xe6\x7e"
-			  "\xea\x1b\x58\xee\x96\xa0\x75\x9a"
-			  "\xa3\x00\x9e\x42\xc2\x26\x20\x8c"
-			  "\x3d\x22\x1f\x94\x3e\x74\x43\x72"
-			  "\xe9\x1d\xa6\xa1\x6c\xa7\xb8\x03"
-			  "\xdf\xb9\x7a\xaf\xe9\xe9\x3b\xfe"
-			  "\xdf\x91\xc1\x01\xa8\xba\x5d\x29"
-			  "\xa5\xe0\x98\x9b\x13\xe5\x13\x11"
-			  "\x7c\x04\x3a\xe8\x44\x7e\x78\xfc"
-			  "\xd6\x96\xa8\xbc\x7d\xc1\x89\x3d"
-			  "\x75\x64\xa9\x0e\x86\x33\xfb\x73"
-			  "\xf7\x15\xbc\x2c\x9a\x3f\x29\xce"
-			  "\x1c\x9d\x10\x4e\x85\xe1\x77\x41"
-			  "\x01\xe2\xbc\x88\xec\x81\xef\xc2"
-			  "\x6a\xed\x4f\xf7\xdf\xac\x10\x71"
-			  "\x94\xed\x71\xa4\x01\xd4\xd6\xbe"
-			  "\xfe\x3e\xc3\x92\x6a\xf2\x2b\xb5"
-			  "\xab\x15\x96\xb7\x88\x2c\xc2\xe1"
-			  "\xb0\x04\x22\xe7\x3d\xa9\xc9\x7d"
-			  "\x2c\x7c\x21\xff\x97\x86\x6b\x0c"
-			  "\x2b\x5b\xe0\xb6\x48\x74\x8f\x24"
-			  "\xef\x8e\xdd\x0f\x2a\x5f\xff\x33"
-			  "\xf4\x8e\xc5\xeb\x9c\xd7\x2a\x45"
-			  "\xf3\x50\xf1\xc0\x91\x8f\xc7\xf9"
-			  "\x97\xc1\x3c\x9c\xf4\xed\x8a\x23"
-			  "\x61\x5b\x40\x1a\x09\xee\x23\xa8"
-			  "\x7c\x7a\x96\xe1\x31\x55\x3d\x12"
-			  "\x04\x1f\x21\x78\x72\xf0\x0f\xa5"
-			  "\x80\x58\x7c\x2f\x37\xb5\x67\x24"
-			  "\x2f\xce\xf9\xf6\x86\x9f\xb3\x34"
-			  "\x0c\xfe\x0a\xaf\x27\xe6\x5e\x0a"
-			  "\x21\x44\x68\xe1\x5d\x84\x25\xae"
-			  "\x2c\x5a\x94\x66\x9a\x3f\x0e\x5a"
-			  "\xd0\x60\x2a\xd5\x3a\x4e\x2f\x40"
-			  "\x87\xe9\x27\x3e\xee\x92\xe1\x07"
-			  "\x22\x43\x52\xed\x67\x49\x13\xdd"
-			  "\x68\xd7\x54\xc2\x76\x72\x7e\x75"
-			  "\xaf\x24\x98\x5c\xe8\x22\xaa\x35"
-			  "\x0f\x9a\x1c\x4c\x0b\x43\x68\x99"
-			  "\x45\xdd\xbf\x82\xa5\x6f\x0a\xef"
-			  "\x44\x90\x85\xe7\x57\x23\x22\x41"
-			  "\x2e\xda\x24\x28\x65\x7f\x96\x85"
-			  "\x9f\x4b\x0d\x43\xb9\xa8\xbd\x84"
-			  "\xad\x0b\x09\xcc\x2c\x4a\x0c\xec"
-			  "\x71\x58\xba\xf1\xfc\x49\x4c\xca"
-			  "\x5c\x5d\xb2\x77\x0c\x99\xae\x1c"
-			  "\xce\x70\x05\x5b\x73\x6b\x7c\x28"
-			  "\x3b\xeb\x21\x3f\xa3\x71\xe1\x6a"
-			  "\xf4\x87\xd0\xbf\x73\xaa\x0b\x0b"
-			  "\xed\x70\xb3\xd4\xa3\xca\x76\x3a"
-			  "\xdb\xfa\xd8\x08\x95\xec\xac\x59"
-			  "\xd0\x79\x90\xc2\x33\x7b\xcc\x28"
-			  "\x65\xb6\x5f\x92\xc4\xac\x23\x40"
-			  "\xd1\x20\x44\x1f\xd7\x29\xab\x46"
-			  "\x79\x32\xc6\x8f\x79\xe5\xaa\x2c"
-			  "\xa6\x76\x70\x3a\x9e\x46\x3f\x8c"
-			  "\x1a\x89\x32\x28\x61\x5c\xcf\x93"
-			  "\x1e\xde\x9e\x98\xbe\x06\x30\x23"
-			  "\xc4\x8b\xda\x1c\xd1\x67\x46\x93"
-			  "\x9d\x41\xa2\x8c\x03\x22\xbd\x55"
-			  "\x7e\x91\x51\x13\xdc\xcf\x5c\x1e"
-			  "\xcb\x5d\xfb\x14\x16\x1a\x44\x56"
-			  "\x27\x77\xfd\xed\x7d\xbd\xd1\x49"
-			  "\x7f\x0d\xc3\x59\x48\x6b\x3c\x02"
-			  "\x6b\xb5\xd0\x83\xd5\x81\x29\xe7"
-			  "\xe0\xc9\x36\x23\x8d\x41\x33\x77"
-			  "\xff\x5f\x54\xde\x4d\x3f\xd2\x4e"
-			  "\xb6\x4d\xdd\x85\xf8\x9b\x20\x7d"
-			  "\x39\x27\x68\x63\xd3\x8e\x61\x39"
-			  "\xfa\xe1\xc3\x04\x74\x27\x5a\x34"
-			  "\x7f\xec\x59\x2d\xc5\x6e\x54\x23"
-			  "\xf5\x7b\x4b\xbe\x58\x2b\xf2\x81"
-			  "\x93\x63\xcc\x13\xd9\x90\xbb\x6a"
-			  "\x41\x03\x8d\x95\xeb\xbb\x5d\x06"
-			  "\x38\x4c\x0e\xd6\xa9\x5b\x84\x97"
-			  "\x3e\x64\x72\xe9\x96\x07\x0f\x73"
-			  "\x6e\xc6\x3b\x32\xbe\xac\x13\x14"
-			  "\xd0\x0a\x17\x5f\xb9\x9c\x3e\x34"
-			  "\xd9\xec\xd6\x8f\x89\xbf\x1e\xd3"
-			  "\xda\x80\xb2\x29\xff\x28\x96\xb3"
-			  "\x46\x50\x5b\x15\x80\x97\xee\x1f"
-			  "\x6c\xd8\xe8\xe0\xbd\x09\xe7\x20"
-			  "\x8c\x23\x8e\xd9\xbb\x92\xfa\x82"
-			  "\xaa\x0f\xb5\xf8\x78\x60\x11\xf0",
-		.ksize	= 1088,
-		.plaintext	= "\x0b\xb2\x31\x2d\xad\xfe\xce\xf9"
-			  "\xec\x5d\x3d\x64\x5f\x3f\x75\x43"
-			  "\x05\x5b\x97",
-		.psize	= 19,
-		.digest	= "\x5f\x02\xae\x65\x6c\x13\x21\x67"
-			  "\x77\x9e\xc4\x43\x58\x68\xde\x8f",
-	}, {
-		.key	= "\x65\x4d\xe3\xf8\xd2\x4c\xac\x28"
-			  "\x68\xf5\xb3\x81\x71\x4b\xa1\xfa"
-			  "\x04\x0e\xd3\x81\x36\xbe\x0c\x81"
-			  "\x5e\xaf\xbc\x3a\xa4\xc0\x8e\x8b"
-			  "\x55\x63\xd3\x52\x97\x88\xd6\x19"
-			  "\xbc\x96\xdf\x49\xff\x04\x63\xf5"
-			  "\x0c\x11\x13\xaa\x9e\x1f\x5a\xf7"
-			  "\xdd\xbd\x37\x80\xc3\xd0\xbe\xa7"
-			  "\x05\xc8\x3c\x98\x1e\x05\x3c\x84"
-			  "\x39\x61\xc4\xed\xed\x71\x1b\xc4"
-			  "\x74\x45\x2c\xa1\x56\x70\x97\xfd"
-			  "\x44\x18\x07\x7d\xca\x60\x1f\x73"
-			  "\x3b\x6d\x21\xcb\x61\x87\x70\x25"
-			  "\x46\x21\xf1\x1f\x21\x91\x31\x2d"
-			  "\x5d\xcc\xb7\xd1\x84\x3e\x3d\xdb"
-			  "\x03\x53\x2a\x82\xa6\x9a\x95\xbc"
-			  "\x1a\x1e\x0a\x5e\x07\x43\xab\x43"
-			  "\xaf\x92\x82\x06\x91\x04\x09\xf4"
-			  "\x17\x0a\x9a\x2c\x54\xdb\xb8\xf4"
-			  "\xd0\xf0\x10\x66\x24\x8d\xcd\xda"
-			  "\xfe\x0e\x45\x9d\x6f\xc4\x4e\xf4"
-			  "\x96\xaf\x13\xdc\xa9\xd4\x8c\xc4"
-			  "\xc8\x57\x39\x3c\xc2\xd3\x0a\x76"
-			  "\x4a\x1f\x75\x83\x44\xc7\xd1\x39"
-			  "\xd8\xb5\x41\xba\x73\x87\xfa\x96"
-			  "\xc7\x18\x53\xfb\x9b\xda\xa0\x97"
-			  "\x1d\xee\x60\x85\x9e\x14\xc3\xce"
-			  "\xc4\x05\x29\x3b\x95\x30\xa3\xd1"
-			  "\x9f\x82\x6a\x04\xf5\xa7\x75\x57"
-			  "\x82\x04\xfe\x71\x51\x71\xb1\x49"
-			  "\x50\xf8\xe0\x96\xf1\xfa\xa8\x88"
-			  "\x3f\xa0\x86\x20\xd4\x60\x79\x59"
-			  "\x17\x2d\xd1\x09\xf4\xec\x05\x57"
-			  "\xcf\x62\x7e\x0e\x7e\x60\x78\xe6"
-			  "\x08\x60\x29\xd8\xd5\x08\x1a\x24"
-			  "\xc4\x6c\x24\xe7\x92\x08\x3d\x8a"
-			  "\x98\x7a\xcf\x99\x0a\x65\x0e\xdc"
-			  "\x8c\x8a\xbe\x92\x82\x91\xcc\x62"
-			  "\x30\xb6\xf4\x3f\xc6\x8a\x7f\x12"
-			  "\x4a\x8a\x49\xfa\x3f\x5c\xd4\x5a"
-			  "\xa6\x82\xa3\xe6\xaa\x34\x76\xb2"
-			  "\xab\x0a\x30\xef\x6c\x77\x58\x3f"
-			  "\x05\x6b\xcc\x5c\xae\xdc\xd7\xb9"
-			  "\x51\x7e\x8d\x32\x5b\x24\x25\xbe"
-			  "\x2b\x24\x01\xcf\x80\xda\x16\xd8"
-			  "\x90\x72\x2c\xad\x34\x8d\x0c\x74"
-			  "\x02\xcb\xfd\xcf\x6e\xef\x97\xb5"
-			  "\x4c\xf2\x68\xca\xde\x43\x9e\x8a"
-			  "\xc5\x5f\x31\x7f\x14\x71\x38\xec"
-			  "\xbd\x98\xe5\x71\xc4\xb5\xdb\xef"
-			  "\x59\xd2\xca\xc0\xc1\x86\x75\x01"
-			  "\xd4\x15\x0d\x6f\xa4\xf7\x7b\x37"
-			  "\x47\xda\x18\x93\x63\xda\xbe\x9e"
-			  "\x07\xfb\xb2\x83\xd5\xc4\x34\x55"
-			  "\xee\x73\xa1\x42\x96\xf9\x66\x41"
-			  "\xa4\xcc\xd2\x93\x6e\xe1\x0a\xbb"
-			  "\xd2\xdd\x18\x23\xe6\x6b\x98\x0b"
-			  "\x8a\x83\x59\x2c\xc3\xa6\x59\x5b"
-			  "\x01\x22\x59\xf7\xdc\xb0\x87\x7e"
-			  "\xdb\x7d\xf4\x71\x41\xab\xbd\xee"
-			  "\x79\xbe\x3c\x01\x76\x0b\x2d\x0a"
-			  "\x42\xc9\x77\x8c\xbb\x54\x95\x60"
-			  "\x43\x2e\xe0\x17\x52\xbd\x90\xc9"
-			  "\xc2\x2c\xdd\x90\x24\x22\x76\x40"
-			  "\x5c\xb9\x41\xc9\xa1\xd5\xbd\xe3"
-			  "\x44\xe0\xa4\xab\xcc\xb8\xe2\x32"
-			  "\x02\x15\x04\x1f\x8c\xec\x5d\x14"
-			  "\xac\x18\xaa\xef\x6e\x33\x19\x6e"
-			  "\xde\xfe\x19\xdb\xeb\x61\xca\x18"
-			  "\xad\xd8\x3d\xbf\x09\x11\xc7\xa5"
-			  "\x86\x0b\x0f\xe5\x3e\xde\xe8\xd9"
-			  "\x0a\x69\x9e\x4c\x20\xff\xf9\xc5"
-			  "\xfa\xf8\xf3\x7f\xa5\x01\x4b\x5e"
-			  "\x0f\xf0\x3b\x68\xf0\x46\x8c\x2a"
-			  "\x7a\xc1\x8f\xa0\xfe\x6a\x5b\x44"
-			  "\x70\x5c\xcc\x92\x2c\x6f\x0f\xbd"
-			  "\x25\x3e\xb7\x8e\x73\x58\xda\xc9"
-			  "\xa5\xaa\x9e\xf3\x9b\xfd\x37\x3e"
-			  "\xe2\x88\xa4\x7b\xc8\x5c\xa8\x93"
-			  "\x0e\xe7\x9a\x9c\x2e\x95\x18\x9f"
-			  "\xc8\x45\x0c\x88\x9e\x53\x4f\x3a"
-			  "\x76\xc1\x35\xfa\x17\xd8\xac\xa0"
-			  "\x0c\x2d\x47\x2e\x4f\x69\x9b\xf7"
-			  "\xd0\xb6\x96\x0c\x19\xb3\x08\x01"
-			  "\x65\x7a\x1f\xc7\x31\x86\xdb\xc8"
-			  "\xc1\x99\x8f\xf8\x08\x4a\x9d\x23"
-			  "\x22\xa8\xcf\x27\x01\x01\x88\x93"
-			  "\x9c\x86\x45\xbd\xe0\x51\xca\x52"
-			  "\x84\xba\xfe\x03\xf7\xda\xc5\xce"
-			  "\x3e\x77\x75\x86\xaf\x84\xc8\x05"
-			  "\x44\x01\x0f\x02\xf3\x58\xb0\x06"
-			  "\x5a\xd7\x12\x30\x8d\xdf\x1f\x1f"
-			  "\x0a\xe6\xd2\xea\xf6\x3a\x7a\x99"
-			  "\x63\xe8\xd2\xc1\x4a\x45\x8b\x40"
-			  "\x4d\x0a\xa9\x76\x92\xb3\xda\x87"
-			  "\x36\x33\xf0\x78\xc3\x2f\x5f\x02"
-			  "\x1a\x6a\x2c\x32\xcd\x76\xbf\xbd"
-			  "\x5a\x26\x20\x28\x8c\x8c\xbc\x52"
-			  "\x3d\x0a\xc9\xcb\xab\xa4\x21\xb0"
-			  "\x54\x40\x81\x44\xc7\xd6\x1c\x11"
-			  "\x44\xc6\x02\x92\x14\x5a\xbf\x1a"
-			  "\x09\x8a\x18\xad\xcd\x64\x3d\x53"
-			  "\x4a\xb6\xa5\x1b\x57\x0e\xef\xe0"
-			  "\x8c\x44\x5f\x7d\xbd\x6c\xfd\x60"
-			  "\xae\x02\x24\xb6\x99\xdd\x8c\xaf"
-			  "\x59\x39\x75\x3c\xd1\x54\x7b\x86"
-			  "\xcc\x99\xd9\x28\x0c\xb0\x94\x62"
-			  "\xf9\x51\xd1\x19\x96\x2d\x66\xf5"
-			  "\x55\xcf\x9e\x59\xe2\x6b\x2c\x08"
-			  "\xc0\x54\x48\x24\x45\xc3\x8c\x73"
-			  "\xea\x27\x6e\x66\x7d\x1d\x0e\x6e"
-			  "\x13\xe8\x56\x65\x3a\xb0\x81\x5c"
-			  "\xf0\xe8\xd8\x00\x6b\xcd\x8f\xad"
-			  "\xdd\x53\xf3\xa4\x6c\x43\xd6\x31"
-			  "\xaf\xd2\x76\x1e\x91\x12\xdb\x3c"
-			  "\x8c\xc2\x81\xf0\x49\xdb\xe2\x6b"
-			  "\x76\x62\x0a\x04\xe4\xaa\x8a\x7c"
-			  "\x08\x0b\x5d\xd0\xee\x1d\xfb\xc4"
-			  "\x02\x75\x42\xd6\xba\xa7\x22\xa8"
-			  "\x47\x29\xb7\x85\x6d\x93\x3a\xdb"
-			  "\x00\x53\x0b\xa2\xeb\xf8\xfe\x01"
-			  "\x6f\x8a\x31\xd6\x17\x05\x6f\x67"
-			  "\x88\x95\x32\xfe\x4f\xa6\x4b\xf8"
-			  "\x03\xe4\xcd\x9a\x18\xe8\x4e\x2d"
-			  "\xf7\x97\x9a\x0c\x7d\x9f\x7e\x44"
-			  "\x69\x51\xe0\x32\x6b\x62\x86\x8f"
-			  "\xa6\x8e\x0b\x21\x96\xe5\xaf\x77"
-			  "\xc0\x83\xdf\xa5\x0e\xd0\xa1\x04"
-			  "\xaf\xc1\x10\xcb\x5a\x40\xe4\xe3"
-			  "\x38\x7e\x07\xe8\x4d\xfa\xed\xc5"
-			  "\xf0\x37\xdf\xbb\x8a\xcf\x3d\xdc"
-			  "\x61\xd2\xc6\x2b\xff\x07\xc9\x2f"
-			  "\x0c\x2d\x5c\x07\xa8\x35\x6a\xfc"
-			  "\xae\x09\x03\x45\x74\x51\x4d\xc4"
-			  "\xb8\x23\x87\x4a\x99\x27\x20\x87"
-			  "\x62\x44\x0a\x4a\xce\x78\x47\x22",
-		.ksize	= 1088,
-		.plaintext	= "\x8e\xb0\x4c\xde\x9c\x4a\x04\x5a"
-			  "\xf6\xa9\x7f\x45\x25\xa5\x7b\x3a"
-			  "\xbc\x4d\x73\x39\x81\xb5\xbd\x3d"
-			  "\x21\x6f\xd7\x37\x50\x3c\x7b\x28"
-			  "\xd1\x03\x3a\x17\xed\x7b\x7c\x2a"
-			  "\x16\xbc\xdf\x19\x89\x52\x71\x31"
-			  "\xb6\xc0\xfd\xb5\xd3\xba\x96\x99"
-			  "\xb6\x34\x0b\xd0\x99\x93\xfc\x1a"
-			  "\x01\x3c\x85\xc6\x9b\x78\x5c\x8b"
-			  "\xfe\xae\xd2\xbf\xb2\x6f\xf9\xed"
-			  "\xc8\x25\x17\xfe\x10\x3b\x7d\xda"
-			  "\xf4\x8d\x35\x4b\x7c\x7b\x82\xe7"
-			  "\xc2\xb3\xee\x60\x4a\x03\x86\xc9"
-			  "\x4e\xb5\xc4\xbe\xd2\xbd\x66\xf1"
-			  "\x13\xf1\x09\xab\x5d\xca\x63\x1f"
-			  "\xfc\xfb\x57\x2a\xfc\xca\x66\xd8"
-			  "\x77\x84\x38\x23\x1d\xac\xd3\xb3"
-			  "\x7a\xad\x4c\x70\xfa\x9c\xc9\x61"
-			  "\xa6\x1b\xba\x33\x4b\x4e\x33\xec"
-			  "\xa0\xa1\x64\x39\x40\x05\x1c\xc2"
-			  "\x3f\x49\x9d\xae\xf2\xc5\xf2\xc5"
-			  "\xfe\xe8\xf4\xc2\xf9\x96\x2d\x28"
-			  "\x92\x30\x44\xbc\xd2\x7f\xe1\x6e"
-			  "\x62\x02\x8f\x3d\x1c\x80\xda\x0e"
-			  "\x6a\x90\x7e\x75\xff\xec\x3e\xc4"
-			  "\xcd\x16\x34\x3b\x05\x6d\x4d\x20"
-			  "\x1c\x7b\xf5\x57\x4f\xfa\x3d\xac"
-			  "\xd0\x13\x55\xe8\xb3\xe1\x1b\x78"
-			  "\x30\xe6\x9f\x84\xd4\x69\xd1\x08"
-			  "\x12\x77\xa7\x4a\xbd\xc0\xf2\xd2"
-			  "\x78\xdd\xa3\x81\x12\xcb\x6c\x14"
-			  "\x90\x61\xe2\x84\xc6\x2b\x16\xcc"
-			  "\x40\x99\x50\x88\x01\x09\x64\x4f"
-			  "\x0a\x80\xbe\x61\xae\x46\xc9\x0a"
-			  "\x5d\xe0\xfb\x72\x7a\x1a\xdd\x61"
-			  "\x63\x20\x05\xa0\x4a\xf0\x60\x69"
-			  "\x7f\x92\xbc\xbf\x4e\x39\x4d\xdd"
-			  "\x74\xd1\xb7\xc0\x5a\x34\xb7\xae"
-			  "\x76\x65\x2e\xbc\x36\xb9\x04\x95"
-			  "\x42\xe9\x6f\xca\x78\xb3\x72\x07"
-			  "\xa3\xba\x02\x94\x67\x4c\xb1\xd7"
-			  "\xe9\x30\x0d\xf0\x3b\xb8\x10\x6d"
-			  "\xea\x2b\x21\xbf\x74\x59\x82\x97"
-			  "\x85\xaa\xf1\xd7\x54\x39\xeb\x05"
-			  "\xbd\xf3\x40\xa0\x97\xe6\x74\xfe"
-			  "\xb4\x82\x5b\xb1\x36\xcb\xe8\x0d"
-			  "\xce\x14\xd9\xdf\xf1\x94\x22\xcd"
-			  "\xd6\x00\xba\x04\x4c\x05\x0c\xc0"
-			  "\xd1\x5a\xeb\x52\xd5\xa8\x8e\xc8"
-			  "\x97\xa1\xaa\xc1\xea\xc1\xbe\x7c"
-			  "\x36\xb3\x36\xa0\xc6\x76\x66\xc5"
-			  "\xe2\xaf\xd6\x5c\xe2\xdb\x2c\xb3"
-			  "\x6c\xb9\x99\x7f\xff\x9f\x03\x24"
-			  "\xe1\x51\x44\x66\xd8\x0c\x5d\x7f"
-			  "\x5c\x85\x22\x2a\xcf\x6d\x79\x28"
-			  "\xab\x98\x01\x72\xfe\x80\x87\x5f"
-			  "\x46\xba\xef\x81\x24\xee\xbf\xb0"
-			  "\x24\x74\xa3\x65\x97\x12\xc4\xaf"
-			  "\x8b\xa0\x39\xda\x8a\x7e\x74\x6e"
-			  "\x1b\x42\xb4\x44\x37\xfc\x59\xfd"
-			  "\x86\xed\xfb\x8c\x66\x33\xda\x63"
-			  "\x75\xeb\xe1\xa4\x85\x4f\x50\x8f"
-			  "\x83\x66\x0d\xd3\x37\xfa\xe6\x9c"
-			  "\x4f\x30\x87\x35\x18\xe3\x0b\xb7"
-			  "\x6e\x64\x54\xcd\x70\xb3\xde\x54"
-			  "\xb7\x1d\xe6\x4c\x4d\x55\x12\x12"
-			  "\xaf\x5f\x7f\x5e\xee\x9d\xe8\x8e"
-			  "\x32\x9d\x4e\x75\xeb\xc6\xdd\xaa"
-			  "\x48\x82\xa4\x3f\x3c\xd7\xd3\xa8"
-			  "\x63\x9e\x64\xfe\xe3\x97\x00\x62"
-			  "\xe5\x40\x5d\xc3\xad\x72\xe1\x28"
-			  "\x18\x50\xb7\x75\xef\xcd\x23\xbf"
-			  "\x3f\xc0\x51\x36\xf8\x41\xc3\x08"
-			  "\xcb\xf1\x8d\x38\x34\xbd\x48\x45"
-			  "\x75\xed\xbc\x65\x7b\xb5\x0c\x9b"
-			  "\xd7\x67\x7d\x27\xb4\xc4\x80\xd7"
-			  "\xa9\xb9\xc7\x4a\x97\xaa\xda\xc8"
-			  "\x3c\x74\xcf\x36\x8f\xe4\x41\xe3"
-			  "\xd4\xd3\x26\xa7\xf3\x23\x9d\x8f"
-			  "\x6c\x20\x05\x32\x3e\xe0\xc3\xc8"
-			  "\x56\x3f\xa7\x09\xb7\xfb\xc7\xf7"
-			  "\xbe\x2a\xdd\x0f\x06\x7b\x0d\xdd"
-			  "\xb0\xb4\x86\x17\xfd\xb9\x04\xe5"
-			  "\xc0\x64\x5d\xad\x2a\x36\x38\xdb"
-			  "\x24\xaf\x5b\xff\xca\xf9\x41\xe8"
-			  "\xf9\x2f\x1e\x5e\xf9\xf5\xd5\xf2"
-			  "\xb2\x88\xca\xc9\xa1\x31\xe2\xe8"
-			  "\x10\x95\x65\xbf\xf1\x11\x61\x7a"
-			  "\x30\x1a\x54\x90\xea\xd2\x30\xf6"
-			  "\xa5\xad\x60\xf9\x4d\x84\x21\x1b"
-			  "\xe4\x42\x22\xc8\x12\x4b\xb0\x58"
-			  "\x3e\x9c\x2d\x32\x95\x0a\x8e\xb0"
-			  "\x0a\x7e\x77\x2f\xe8\x97\x31\x6a"
-			  "\xf5\x59\xb4\x26\xe6\x37\x12\xc9"
-			  "\xcb\xa0\x58\x33\x6f\xd5\x55\x55"
-			  "\x3c\xa1\x33\xb1\x0b\x7e\x2e\xb4"
-			  "\x43\x2a\x84\x39\xf0\x9c\xf4\x69"
-			  "\x4f\x1e\x79\xa6\x15\x1b\x87\xbb"
-			  "\xdb\x9b\xe0\xf1\x0b\xba\xe3\x6e"
-			  "\xcc\x2f\x49\x19\x22\x29\xfc\x71"
-			  "\xbb\x77\x38\x18\x61\xaf\x85\x76"
-			  "\xeb\xd1\x09\xcc\x86\x04\x20\x9a"
-			  "\x66\x53\x2f\x44\x8b\xc6\xa3\xd2"
-			  "\x5f\xc7\x79\x82\x66\xa8\x6e\x75"
-			  "\x7d\x94\xd1\x86\x75\x0f\xa5\x4f"
-			  "\x3c\x7a\x33\xce\xd1\x6e\x9d\x7b"
-			  "\x1f\x91\x37\xb8\x37\x80\xfb\xe0"
-			  "\x52\x26\xd0\x9a\xd4\x48\x02\x41"
-			  "\x05\xe3\x5a\x94\xf1\x65\x61\x19"
-			  "\xb8\x88\x4e\x2b\xea\xba\x8b\x58"
-			  "\x8b\x42\x01\x00\xa8\xfe\x00\x5c"
-			  "\xfe\x1c\xee\x31\x15\x69\xfa\xb3"
-			  "\x9b\x5f\x22\x8e\x0d\x2c\xe3\xa5"
-			  "\x21\xb9\x99\x8a\x8e\x94\x5a\xef"
-			  "\x13\x3e\x99\x96\x79\x6e\xd5\x42"
-			  "\x36\x03\xa9\xe2\xca\x65\x4e\x8a"
-			  "\x8a\x30\xd2\x7d\x74\xe7\xf0\xaa"
-			  "\x23\x26\xdd\xcb\x82\x39\xfc\x9d"
-			  "\x51\x76\x21\x80\xa2\xbe\x93\x03"
-			  "\x47\xb0\xc1\xb6\xdc\x63\xfd\x9f"
-			  "\xca\x9d\xa5\xca\x27\x85\xe2\xd8"
-			  "\x15\x5b\x7e\x14\x7a\xc4\x89\xcc"
-			  "\x74\x14\x4b\x46\xd2\xce\xac\x39"
-			  "\x6b\x6a\x5a\xa4\x0e\xe3\x7b\x15"
-			  "\x94\x4b\x0f\x74\xcb\x0c\x7f\xa9"
-			  "\xbe\x09\x39\xa3\xdd\x56\x5c\xc7"
-			  "\x99\x56\x65\x39\xf4\x0b\x7d\x87"
-			  "\xec\xaa\xe3\x4d\x22\x65\x39\x4e",
-		.psize	= 1024,
-		.digest	= "\x64\x3a\xbc\xc3\x3f\x74\x40\x51"
-			  "\x6e\x56\x01\x1a\x51\xec\x36\xde",
-	}, {
-		.key	= "\x1b\x82\x2e\x1b\x17\x23\xb9\x6d"
-			  "\xdc\x9c\xda\x99\x07\xe3\x5f\xd8"
-			  "\xd2\xf8\x43\x80\x8d\x86\x7d\x80"
-			  "\x1a\xd0\xcc\x13\xb9\x11\x05\x3f"
-			  "\x7e\xcf\x7e\x80\x0e\xd8\x25\x48"
-			  "\x8b\xaa\x63\x83\x92\xd0\x72\xf5"
-			  "\x4f\x67\x7e\x50\x18\x25\xa4\xd1"
-			  "\xe0\x7e\x1e\xba\xd8\xa7\x6e\xdb"
-			  "\x1a\xcc\x0d\xfe\x9f\x6d\x22\x35"
-			  "\xe1\xe6\xe0\xa8\x7b\x9c\xb1\x66"
-			  "\xa3\xf8\xff\x4d\x90\x84\x28\xbc"
-			  "\xdc\x19\xc7\x91\x49\xfc\xf6\x33"
-			  "\xc9\x6e\x65\x7f\x28\x6f\x68\x2e"
-			  "\xdf\x1a\x75\xe9\xc2\x0c\x96\xb9"
-			  "\x31\x22\xc4\x07\xc6\x0a\x2f\xfd"
-			  "\x36\x06\x5f\x5c\xc5\xb1\x3a\xf4"
-			  "\x5e\x48\xa4\x45\x2b\x88\xa7\xee"
-			  "\xa9\x8b\x52\xcc\x99\xd9\x2f\xb8"
-			  "\xa4\x58\x0a\x13\xeb\x71\x5a\xfa"
-			  "\xe5\x5e\xbe\xf2\x64\xad\x75\xbc"
-			  "\x0b\x5b\x34\x13\x3b\x23\x13\x9a"
-			  "\x69\x30\x1e\x9a\xb8\x03\xb8\x8b"
-			  "\x3e\x46\x18\x6d\x38\xd9\xb3\xd8"
-			  "\xbf\xf1\xd0\x28\xe6\x51\x57\x80"
-			  "\x5e\x99\xfb\xd0\xce\x1e\x83\xf7"
-			  "\xe9\x07\x5a\x63\xa9\xef\xce\xa5"
-			  "\xfb\x3f\x37\x17\xfc\x0b\x37\x0e"
-			  "\xbb\x4b\x21\x62\xb7\x83\x0e\xa9"
-			  "\x9e\xb0\xc4\xad\x47\xbe\x35\xe7"
-			  "\x51\xb2\xf2\xac\x2b\x65\x7b\x48"
-			  "\xe3\x3f\x5f\xb6\x09\x04\x0c\x58"
-			  "\xce\x99\xa9\x15\x2f\x4e\xc1\xf2"
-			  "\x24\x48\xc0\xd8\x6c\xd3\x76\x17"
-			  "\x83\x5d\xe6\xe3\xfd\x01\x8e\xf7"
-			  "\x42\xa5\x04\x29\x30\xdf\xf9\x00"
-			  "\x4a\xdc\x71\x22\x1a\x33\x15\xb6"
-			  "\xd7\x72\xfb\x9a\xb8\xeb\x2b\x38"
-			  "\xea\xa8\x61\xa8\x90\x11\x9d\x73"
-			  "\x2e\x6c\xce\x81\x54\x5a\x9f\xcd"
-			  "\xcf\xd5\xbd\x26\x5d\x66\xdb\xfb"
-			  "\xdc\x1e\x7c\x10\xfe\x58\x82\x10"
-			  "\x16\x24\x01\xce\x67\x55\x51\xd1"
-			  "\xdd\x6b\x44\xa3\x20\x8e\xa9\xa6"
-			  "\x06\xa8\x29\x77\x6e\x00\x38\x5b"
-			  "\xde\x4d\x58\xd8\x1f\x34\xdf\xf9"
-			  "\x2c\xac\x3e\xad\xfb\x92\x0d\x72"
-			  "\x39\xa4\xac\x44\x10\xc0\x43\xc4"
-			  "\xa4\x77\x3b\xfc\xc4\x0d\x37\xd3"
-			  "\x05\x84\xda\x53\x71\xf8\x80\xd3"
-			  "\x34\x44\xdb\x09\xb4\x2b\x8e\xe3"
-			  "\x00\x75\x50\x9e\x43\x22\x00\x0b"
-			  "\x7c\x70\xab\xd4\x41\xf1\x93\xcd"
-			  "\x25\x2d\x84\x74\xb5\xf2\x92\xcd"
-			  "\x0a\x28\xea\x9a\x49\x02\x96\xcb"
-			  "\x85\x9e\x2f\x33\x03\x86\x1d\xdc"
-			  "\x1d\x31\xd5\xfc\x9d\xaa\xc5\xe9"
-			  "\x9a\xc4\x57\xf5\x35\xed\xf4\x4b"
-			  "\x3d\x34\xc2\x29\x13\x86\x36\x42"
-			  "\x5d\xbf\x90\x86\x13\x77\xe5\xc3"
-			  "\x62\xb4\xfe\x0b\x70\x39\x35\x65"
-			  "\x02\xea\xf6\xce\x57\x0c\xbb\x74"
-			  "\x29\xe3\xfd\x60\x90\xfd\x10\x38"
-			  "\xd5\x4e\x86\xbd\x37\x70\xf0\x97"
-			  "\xa6\xab\x3b\x83\x64\x52\xca\x66"
-			  "\x2f\xf9\xa4\xca\x3a\x55\x6b\xb0"
-			  "\xe8\x3a\x34\xdb\x9e\x48\x50\x2f"
-			  "\x3b\xef\xfd\x08\x2d\x5f\xc1\x37"
-			  "\x5d\xbe\x73\xe4\xd8\xe9\xac\xca"
-			  "\x8a\xaa\x48\x7c\x5c\xf4\xa6\x96"
-			  "\x5f\xfa\x70\xa6\xb7\x8b\x50\xcb"
-			  "\xa6\xf5\xa9\xbd\x7b\x75\x4c\x22"
-			  "\x0b\x19\x40\x2e\xc9\x39\x39\x32"
-			  "\x83\x03\xa8\xa4\x98\xe6\x8e\x16"
-			  "\xb9\xde\x08\xc5\xfc\xbf\xad\x39"
-			  "\xa8\xc7\x93\x6c\x6f\x23\xaf\xc1"
-			  "\xab\xe1\xdf\xbb\x39\xae\x93\x29"
-			  "\x0e\x7d\x80\x8d\x3e\x65\xf3\xfd"
-			  "\x96\x06\x65\x90\xa1\x28\x64\x4b"
-			  "\x69\xf9\xa8\x84\x27\x50\xfc\x87"
-			  "\xf7\xbf\x55\x8e\x56\x13\x58\x7b"
-			  "\x85\xb4\x6a\x72\x0f\x40\xf1\x4f"
-			  "\x83\x81\x1f\x76\xde\x15\x64\x7a"
-			  "\x7a\x80\xe4\xc7\x5e\x63\x01\x91"
-			  "\xd7\x6b\xea\x0b\x9b\xa2\x99\x3b"
-			  "\x6c\x88\xd8\xfd\x59\x3c\x8d\x22"
-			  "\x86\x56\xbe\xab\xa1\x37\x08\x01"
-			  "\x50\x85\x69\x29\xee\x9f\xdf\x21"
-			  "\x3e\x20\x20\xf5\xb0\xbb\x6b\xd0"
-			  "\x9c\x41\x38\xec\x54\x6f\x2d\xbd"
-			  "\x0f\xe1\xbd\xf1\x2b\x6e\x60\x56"
-			  "\x29\xe5\x7a\x70\x1c\xe2\xfc\x97"
-			  "\x82\x68\x67\xd9\x3d\x1f\xfb\xd8"
-			  "\x07\x9f\xbf\x96\x74\xba\x6a\x0e"
-			  "\x10\x48\x20\xd8\x13\x1e\xb5\x44"
-			  "\xf2\xcc\xb1\x8b\xfb\xbb\xec\xd7"
-			  "\x37\x70\x1f\x7c\x55\xd2\x4b\xb9"
-			  "\xfd\x70\x5e\xa3\x91\x73\x63\x52"
-			  "\x13\x47\x5a\x06\xfb\x01\x67\xa5"
-			  "\xc0\xd0\x49\x19\x56\x66\x9a\x77"
-			  "\x64\xaf\x8c\x25\x91\x52\x87\x0e"
-			  "\x18\xf3\x5f\x97\xfd\x71\x13\xf8"
-			  "\x05\xa5\x39\xcc\x65\xd3\xcc\x63"
-			  "\x5b\xdb\x5f\x7e\x5f\x6e\xad\xc4"
-			  "\xf4\xa0\xc5\xc2\x2b\x4d\x97\x38"
-			  "\x4f\xbc\xfa\x33\x17\xb4\x47\xb9"
-			  "\x43\x24\x15\x8d\xd2\xed\x80\x68"
-			  "\x84\xdb\x04\x80\xca\x5e\x6a\x35"
-			  "\x2c\x2c\xe7\xc5\x03\x5f\x54\xb0"
-			  "\x5e\x4f\x1d\x40\x54\x3d\x78\x9a"
-			  "\xac\xda\x80\x27\x4d\x15\x4c\x1a"
-			  "\x6e\x80\xc9\xc4\x3b\x84\x0e\xd9"
-			  "\x2e\x93\x01\x8c\xc3\xc8\x91\x4b"
-			  "\xb3\xaa\x07\x04\x68\x5b\x93\xa5"
-			  "\xe7\xc4\x9d\xe7\x07\xee\xf5\x3b"
-			  "\x40\x89\xcc\x60\x34\x9d\xb4\x06"
-			  "\x1b\xef\x92\xe6\xc1\x2a\x7d\x0f"
-			  "\x81\xaa\x56\xe3\xd7\xed\xa7\xd4"
-			  "\xa7\x3a\x49\xc4\xad\x81\x5c\x83"
-			  "\x55\x8e\x91\x54\xb7\x7d\x65\xa5"
-			  "\x06\x16\xd5\x9a\x16\xc1\xb0\xa2"
-			  "\x06\xd8\x98\x47\x73\x7e\x73\xa0"
-			  "\xb8\x23\xb1\x52\xbf\x68\x74\x5d"
-			  "\x0b\xcb\xfa\x8c\x46\xe3\x24\xe6"
-			  "\xab\xd4\x69\x8d\x8c\xf2\x8a\x59"
-			  "\xbe\x48\x46\x50\x8c\x9a\xe8\xe3"
-			  "\x31\x55\x0a\x06\xed\x4f\xf8\xb7"
-			  "\x4f\xe3\x85\x17\x30\xbd\xd5\x20"
-			  "\xe7\x5b\xb2\x32\xcf\x6b\x16\x44"
-			  "\xd2\xf5\x7e\xd7\xd1\x2f\xee\x64"
-			  "\x3e\x9d\x10\xef\x27\x35\x43\x64"
-			  "\x67\xfb\x7a\x7b\xe0\x62\x31\x9a"
-			  "\x4d\xdf\xa5\xab\xc0\x20\xbb\x01"
-			  "\xe9\x7b\x54\xf1\xde\xb2\x79\x50"
-			  "\x6c\x4b\x91\xdb\x7f\xbb\x50\xc1"
-			  "\x55\x44\x38\x9a\xe0\x9f\xe8\x29"
-			  "\x6f\x15\xf8\x4e\xa6\xec\xa0\x60",
-		.ksize	= 1088,
-		.plaintext	= "\x15\x68\x9e\x2f\xad\x15\x52\xdf"
-			  "\xf0\x42\x62\x24\x2a\x2d\xea\xbf"
-			  "\xc7\xf3\xb4\x1a\xf5\xed\xb2\x08"
-			  "\x15\x60\x1c\x00\x77\xbf\x0b\x0e"
-			  "\xb7\x2c\xcf\x32\x3a\xc7\x01\x77"
-			  "\xef\xa6\x75\xd0\x29\xc7\x68\x20"
-			  "\xb2\x92\x25\xbf\x12\x34\xe9\xa4"
-			  "\xfd\x32\x7b\x3f\x7c\xbd\xa5\x02"
-			  "\x38\x41\xde\xc9\xc1\x09\xd9\xfc"
-			  "\x6e\x78\x22\x83\x18\xf7\x50\x8d"
-			  "\x8f\x9c\x2d\x02\xa5\x30\xac\xff"
-			  "\xea\x63\x2e\x80\x37\x83\xb0\x58"
-			  "\xda\x2f\xef\x21\x55\xba\x7b\xb1"
-			  "\xb6\xed\xf5\xd2\x4d\xaa\x8c\xa9"
-			  "\xdd\xdb\x0f\xb4\xce\xc1\x9a\xb1"
-			  "\xc1\xdc\xbd\xab\x86\xc2\xdf\x0b"
-			  "\xe1\x2c\xf9\xbe\xf6\xd8\xda\x62"
-			  "\x72\xdd\x98\x09\x52\xc0\xc4\xb6"
-			  "\x7b\x17\x5c\xf5\xd8\x4b\x88\xd6"
-			  "\x6b\xbf\x84\x4a\x3f\xf5\x4d\xd2"
-			  "\x94\xe2\x9c\xff\xc7\x3c\xd9\xc8"
-			  "\x37\x38\xbc\x8c\xf3\xe7\xb7\xd0"
-			  "\x1d\x78\xc4\x39\x07\xc8\x5e\x79"
-			  "\xb6\x5a\x90\x5b\x6e\x97\xc9\xd4"
-			  "\x82\x9c\xf3\x83\x7a\xe7\x97\xfc"
-			  "\x1d\xbb\xef\xdb\xce\xe0\x82\xad"
-			  "\xca\x07\x6c\x54\x62\x6f\x81\xe6"
-			  "\x7a\x5a\x96\x6e\x80\x3a\xa2\x37"
-			  "\x6f\xc6\xa4\x29\xc3\x9e\x19\x94"
-			  "\x9f\xb0\x3e\x38\xfb\x3c\x2b\x7d"
-			  "\xaa\xb8\x74\xda\x54\x23\x51\x12"
-			  "\x4b\x96\x36\x8f\x91\x4f\x19\x37"
-			  "\x83\xc9\xdd\xc7\x1a\x32\x2d\xab"
-			  "\xc7\x89\xe2\x07\x47\x6c\xe8\xa6"
-			  "\x70\x6b\x8e\x0c\xda\x5c\x6a\x59"
-			  "\x27\x33\x0e\xe1\xe1\x20\xe8\xc8"
-			  "\xae\xdc\xd0\xe3\x6d\xa8\xa6\x06"
-			  "\x41\xb4\xd4\xd4\xcf\x91\x3e\x06"
-			  "\xb0\x9a\xf7\xf1\xaa\xa6\x23\x92"
-			  "\x10\x86\xf0\x94\xd1\x7c\x2e\x07"
-			  "\x30\xfb\xc5\xd8\xf3\x12\xa9\xe8"
-			  "\x22\x1c\x97\x1a\xad\x96\xb0\xa1"
-			  "\x72\x6a\x6b\xb4\xfd\xf7\xe8\xfa"
-			  "\xe2\x74\xd8\x65\x8d\x35\x17\x4b"
-			  "\x00\x23\x5c\x8c\x70\xad\x71\xa2"
-			  "\xca\xc5\x6c\x59\xbf\xb4\xc0\x6d"
-			  "\x86\x98\x3e\x19\x5a\x90\x92\xb1"
-			  "\x66\x57\x6a\x91\x68\x7c\xbc\xf3"
-			  "\xf1\xdb\x94\xf8\x48\xf1\x36\xd8"
-			  "\x78\xac\x1c\xa9\xcc\xd6\x27\xba"
-			  "\x91\x54\x22\xf5\xe6\x05\x3f\xcc"
-			  "\xc2\x8f\x2c\x3b\x2b\xc3\x2b\x2b"
-			  "\x3b\xb8\xb6\x29\xb7\x2f\x94\xb6"
-			  "\x7b\xfc\x94\x3e\xd0\x7a\x41\x59"
-			  "\x7b\x1f\x9a\x09\xa6\xed\x4a\x82"
-			  "\x9d\x34\x1c\xbd\x4e\x1c\x3a\x66"
-			  "\x80\x74\x0e\x9a\x4f\x55\x54\x47"
-			  "\x16\xba\x2a\x0a\x03\x35\x99\xa3"
-			  "\x5c\x63\x8d\xa2\x72\x8b\x17\x15"
-			  "\x68\x39\x73\xeb\xec\xf2\xe8\xf5"
-			  "\x95\x32\x27\xd6\xc4\xfe\xb0\x51"
-			  "\xd5\x0c\x50\xc5\xcd\x6d\x16\xb3"
-			  "\xa3\x1e\x95\x69\xad\x78\x95\x06"
-			  "\xb9\x46\xf2\x6d\x24\x5a\x99\x76"
-			  "\x73\x6a\x91\xa6\xac\x12\xe1\x28"
-			  "\x79\xbc\x08\x4e\x97\x00\x98\x63"
-			  "\x07\x1c\x4e\xd1\x68\xf3\xb3\x81"
-			  "\xa8\xa6\x5f\xf1\x01\xc9\xc1\xaf"
-			  "\x3a\x96\xf9\x9d\xb5\x5a\x5f\x8f"
-			  "\x7e\xc1\x7e\x77\x0a\x40\xc8\x8e"
-			  "\xfc\x0e\xed\xe1\x0d\xb0\xe5\x5e"
-			  "\x5e\x6f\xf5\x7f\xab\x33\x7d\xcd"
-			  "\xf0\x09\x4b\xb2\x11\x37\xdc\x65"
-			  "\x97\x32\x62\x71\x3a\x29\x54\xb9"
-			  "\xc7\xa4\xbf\x75\x0f\xf9\x40\xa9"
-			  "\x8d\xd7\x8b\xa7\xe0\x9a\xbe\x15"
-			  "\xc6\xda\xd8\x00\x14\x69\x1a\xaf"
-			  "\x5f\x79\xc3\xf5\xbb\x6c\x2a\x9d"
-			  "\xdd\x3c\x5f\x97\x21\xe1\x3a\x03"
-			  "\x84\x6a\xe9\x76\x11\x1f\xd3\xd5"
-			  "\xf0\x54\x20\x4d\xc2\x91\xc3\xa4"
-			  "\x36\x25\xbe\x1b\x2a\x06\xb7\xf3"
-			  "\xd1\xd0\x55\x29\x81\x4c\x83\xa3"
-			  "\xa6\x84\x1e\x5c\xd1\xd0\x6c\x90"
-			  "\xa4\x11\xf0\xd7\x63\x6a\x48\x05"
-			  "\xbc\x48\x18\x53\xcd\xb0\x8d\xdb"
-			  "\xdc\xfe\x55\x11\x5c\x51\xb3\xab"
-			  "\xab\x63\x3e\x31\x5a\x8b\x93\x63"
-			  "\x34\xa9\xba\x2b\x69\x1a\xc0\xe3"
-			  "\xcb\x41\xbc\xd7\xf5\x7f\x82\x3e"
-			  "\x01\xa3\x3c\x72\xf4\xfe\xdf\xbe"
-			  "\xb1\x67\x17\x2b\x37\x60\x0d\xca"
-			  "\x6f\xc3\x94\x2c\xd2\x92\x6d\x9d"
-			  "\x75\x18\x77\xaa\x29\x38\x96\xed"
-			  "\x0e\x20\x70\x92\xd5\xd0\xb4\x00"
-			  "\xc0\x31\xf2\xc9\x43\x0e\x75\x1d"
-			  "\x4b\x64\xf2\x1f\xf2\x29\x6c\x7b"
-			  "\x7f\xec\x59\x7d\x8c\x0d\xd4\xd3"
-			  "\xac\x53\x4c\xa3\xde\x42\x92\x95"
-			  "\x6d\xa3\x4f\xd0\xe6\x3d\xe7\xec"
-			  "\x7a\x4d\x68\xf1\xfe\x67\x66\x09"
-			  "\x83\x22\xb1\x98\x43\x8c\xab\xb8"
-			  "\x45\xe6\x6d\xdf\x5e\x50\x71\xce"
-			  "\xf5\x4e\x40\x93\x2b\xfa\x86\x0e"
-			  "\xe8\x30\xbd\x82\xcc\x1c\x9c\x5f"
-			  "\xad\xfd\x08\x31\xbe\x52\xe7\xe6"
-			  "\xf2\x06\x01\x62\x25\x15\x99\x74"
-			  "\x33\x51\x52\x57\x3f\x57\x87\x61"
-			  "\xb9\x7f\x29\x3d\xcd\x92\x5e\xa6"
-			  "\x5c\x3b\xf1\xed\x5f\xeb\x82\xed"
-			  "\x56\x7b\x61\xe7\xfd\x02\x47\x0e"
-			  "\x2a\x15\xa4\xce\x43\x86\x9b\xe1"
-			  "\x2b\x4c\x2a\xd9\x42\x97\xf7\x9a"
-			  "\xe5\x47\x46\x48\xd3\x55\x6f\x4d"
-			  "\xd9\xeb\x4b\xdd\x7b\x21\x2f\xb3"
-			  "\xa8\x36\x28\xdf\xca\xf1\xf6\xd9"
-			  "\x10\xf6\x1c\xfd\x2e\x0c\x27\xe0"
-			  "\x01\xb3\xff\x6d\x47\x08\x4d\xd4"
-			  "\x00\x25\xee\x55\x4a\xe9\xe8\x5b"
-			  "\xd8\xf7\x56\x12\xd4\x50\xb2\xe5"
-			  "\x51\x6f\x34\x63\x69\xd2\x4e\x96"
-			  "\x4e\xbc\x79\xbf\x18\xae\xc6\x13"
-			  "\x80\x92\x77\xb0\xb4\x0f\x29\x94"
-			  "\x6f\x4c\xbb\x53\x11\x36\xc3\x9f"
-			  "\x42\x8e\x96\x8a\x91\xc8\xe9\xfc"
-			  "\xfe\xbf\x7c\x2d\x6f\xf9\xb8\x44"
-			  "\x89\x1b\x09\x53\x0a\x2a\x92\xc3"
-			  "\x54\x7a\x3a\xf9\xe2\xe4\x75\x87"
-			  "\xa0\x5e\x4b\x03\x7a\x0d\x8a\xf4"
-			  "\x55\x59\x94\x2b\x63\x96\x0e\xf5",
-		.psize	= 1040,
-		.digest	= "\xb5\xb9\x08\xb3\x24\x3e\x03\xf0"
-			  "\xd6\x0b\x57\xbc\x0a\x6d\x89\x59",
-	}, {
-		.key	= "\xf6\x34\x42\x71\x35\x52\x8b\x58"
-			  "\x02\x3a\x8e\x4a\x8d\x41\x13\xe9"
-			  "\x7f\xba\xb9\x55\x9d\x73\x4d\xf8"
-			  "\x3f\x5d\x73\x15\xff\xd3\x9e\x7f"
-			  "\x20\x2a\x6a\xa8\xd1\xf0\x8f\x12"
-			  "\x6b\x02\xd8\x6c\xde\xba\x80\x22"
-			  "\x19\x37\xc8\xd0\x4e\x89\x17\x7c"
-			  "\x7c\xdd\x88\xfd\x41\xc0\x04\xb7"
-			  "\x1d\xac\x19\xe3\x20\xc7\x16\xcf"
-			  "\x58\xee\x1d\x7a\x61\x69\xa9\x12"
-			  "\x4b\xef\x4f\xb6\x38\xdd\x78\xf8"
-			  "\x28\xee\x70\x08\xc7\x7c\xcc\xc8"
-			  "\x1e\x41\xf5\x80\x86\x70\xd0\xf0"
-			  "\xa3\x87\x6b\x0a\x00\xd2\x41\x28"
-			  "\x74\x26\xf1\x24\xf3\xd0\x28\x77"
-			  "\xd7\xcd\xf6\x2d\x61\xf4\xa2\x13"
-			  "\x77\xb4\x6f\xa0\xf4\xfb\xd6\xb5"
-			  "\x38\x9d\x5a\x0c\x51\xaf\xad\x63"
-			  "\x27\x67\x8c\x01\xea\x42\x1a\x66"
-			  "\xda\x16\x7c\x3c\x30\x0c\x66\x53"
-			  "\x1c\x88\xa4\x5c\xb2\xe3\x78\x0a"
-			  "\x13\x05\x6d\xe2\xaf\xb3\xe4\x75"
-			  "\x00\x99\x58\xee\x76\x09\x64\xaa"
-			  "\xbb\x2e\xb1\x81\xec\xd8\x0e\xd3"
-			  "\x0c\x33\x5d\xb7\x98\xef\x36\xb6"
-			  "\xd2\x65\x69\x41\x70\x12\xdc\x25"
-			  "\x41\x03\x99\x81\x41\x19\x62\x13"
-			  "\xd1\x0a\x29\xc5\x8c\xe0\x4c\xf3"
-			  "\xd6\xef\x4c\xf4\x1d\x83\x2e\x6d"
-			  "\x8e\x14\x87\xed\x80\xe0\xaa\xd3"
-			  "\x08\x04\x73\x1a\x84\x40\xf5\x64"
-			  "\xbd\x61\x32\x65\x40\x42\xfb\xb0"
-			  "\x40\xf6\x40\x8d\xc7\x7f\x14\xd0"
-			  "\x83\x99\xaa\x36\x7e\x60\xc6\xbf"
-			  "\x13\x8a\xf9\x21\xe4\x7e\x68\x87"
-			  "\xf3\x33\x86\xb4\xe0\x23\x7e\x0a"
-			  "\x21\xb1\xf5\xad\x67\x3c\x9c\x9d"
-			  "\x09\xab\xaf\x5f\xba\xe0\xd0\x82"
-			  "\x48\x22\x70\xb5\x6d\x53\xd6\x0e"
-			  "\xde\x64\x92\x41\xb0\xd3\xfb\xda"
-			  "\x21\xfe\xab\xea\x20\xc4\x03\x58"
-			  "\x18\x2e\x7d\x2f\x03\xa9\x47\x66"
-			  "\xdf\x7b\xa4\x6b\x34\x6b\x55\x9c"
-			  "\x4f\xd7\x9c\x47\xfb\xa9\x42\xec"
-			  "\x5a\x12\xfd\xfe\x76\xa0\x92\x9d"
-			  "\xfe\x1e\x16\xdd\x24\x2a\xe4\x27"
-			  "\xd5\xa9\xf2\x05\x4f\x83\xa2\xaf"
-			  "\xfe\xee\x83\x7a\xad\xde\xdf\x9a"
-			  "\x80\xd5\x81\x14\x93\x16\x7e\x46"
-			  "\x47\xc2\x14\xef\x49\x6e\xb9\xdb"
-			  "\x40\xe8\x06\x6f\x9c\x2a\xfd\x62"
-			  "\x06\x46\xfd\x15\x1d\x36\x61\x6f"
-			  "\x77\x77\x5e\x64\xce\x78\x1b\x85"
-			  "\xbf\x50\x9a\xfd\x67\xa6\x1a\x65"
-			  "\xad\x5b\x33\x30\xf1\x71\xaa\xd9"
-			  "\x23\x0d\x92\x24\x5f\xae\x57\xb0"
-			  "\x24\x37\x0a\x94\x12\xfb\xb5\xb1"
-			  "\xd3\xb8\x1d\x12\x29\xb0\x80\x24"
-			  "\x2d\x47\x9f\x96\x1f\x95\xf1\xb1"
-			  "\xda\x35\xf6\x29\xe0\xe1\x23\x96"
-			  "\xc7\xe8\x22\x9b\x7c\xac\xf9\x41"
-			  "\x39\x01\xe5\x73\x15\x5e\x99\xec"
-			  "\xb4\xc1\xf4\xe7\xa7\x97\x6a\xd5"
-			  "\x90\x9a\xa0\x1d\xf3\x5a\x8b\x5f"
-			  "\xdf\x01\x52\xa4\x93\x31\x97\xb0"
-			  "\x93\x24\xb5\xbc\xb2\x14\x24\x98"
-			  "\x4a\x8f\x19\x85\xc3\x2d\x0f\x74"
-			  "\x9d\x16\x13\x80\x5e\x59\x62\x62"
-			  "\x25\xe0\xd1\x2f\x64\xef\xba\xac"
-			  "\xcd\x09\x07\x15\x8a\xcf\x73\xb5"
-			  "\x8b\xc9\xd8\x24\xb0\x53\xd5\x6f"
-			  "\xe1\x2b\x77\xb1\xc5\xe4\xa7\x0e"
-			  "\x18\x45\xab\x36\x03\x59\xa8\xbd"
-			  "\x43\xf0\xd8\x2c\x1a\x69\x96\xbb"
-			  "\x13\xdf\x6c\x33\x77\xdf\x25\x34"
-			  "\x5b\xa5\x5b\x8c\xf9\x51\x05\xd4"
-			  "\x8b\x8b\x44\x87\x49\xfc\xa0\x8f"
-			  "\x45\x15\x5b\x40\x42\xc4\x09\x92"
-			  "\x98\x0c\x4d\xf4\x26\x37\x1b\x13"
-			  "\x76\x01\x93\x8d\x4f\xe6\xed\x18"
-			  "\xd0\x79\x7b\x3f\x44\x50\xcb\xee"
-			  "\xf7\x4a\xc9\x9e\xe0\x96\x74\xa7"
-			  "\xe6\x93\xb2\x53\xca\x55\xa8\xdc"
-			  "\x1e\x68\x07\x87\xb7\x2e\xc1\x08"
-			  "\xb2\xa4\x5b\xaf\xc6\xdb\x5c\x66"
-			  "\x41\x1c\x51\xd9\xb0\x07\x00\x0d"
-			  "\xf0\x4c\xdc\x93\xde\xa9\x1e\x8e"
-			  "\xd3\x22\x62\xd8\x8b\x88\x2c\xea"
-			  "\x5e\xf1\x6e\x14\x40\xc7\xbe\xaa"
-			  "\x42\x28\xd0\x26\x30\x78\x01\x9b"
-			  "\x83\x07\xbc\x94\xc7\x57\xa2\x9f"
-			  "\x03\x07\xff\x16\xff\x3c\x6e\x48"
-			  "\x0a\xd0\xdd\x4c\xf6\x64\x9a\xf1"
-			  "\xcd\x30\x12\x82\x2c\x38\xd3\x26"
-			  "\x83\xdb\xab\x3e\xc6\xf8\xe6\xfa"
-			  "\x77\x0a\x78\x82\x75\xf8\x63\x51"
-			  "\x59\xd0\x8d\x24\x9f\x25\xe6\xa3"
-			  "\x4c\xbc\x34\xfc\xe3\x10\xc7\x62"
-			  "\xd4\x23\xc8\x3d\xa7\xc6\xa6\x0a"
-			  "\x4f\x7e\x29\x9d\x6d\xbe\xb5\xf1"
-			  "\xdf\xa4\x53\xfa\xc0\x23\x0f\x37"
-			  "\x84\x68\xd0\xb5\xc8\xc6\xae\xf8"
-			  "\xb7\x8d\xb3\x16\xfe\x8f\x87\xad"
-			  "\xd0\xc1\x08\xee\x12\x1c\x9b\x1d"
-			  "\x90\xf8\xd1\x63\xa4\x92\x3c\xf0"
-			  "\xc7\x34\xd8\xf1\x14\xed\xa3\xbc"
-			  "\x17\x7e\xd4\x62\x42\x54\x57\x2c"
-			  "\x3e\x7a\x35\x35\x17\x0f\x0b\x7f"
-			  "\x81\xa1\x3f\xd0\xcd\xc8\x3b\x96"
-			  "\xe9\xe0\x4a\x04\xe1\xb6\x3c\xa1"
-			  "\xd6\xca\xc4\xbd\xb6\xb5\x95\x34"
-			  "\x12\x9d\xc5\x96\xf2\xdf\xba\x54"
-			  "\x76\xd1\xb2\x6b\x3b\x39\xe0\xb9"
-			  "\x18\x62\xfb\xf7\xfc\x12\xf1\x5f"
-			  "\x7e\xc7\xe3\x59\x4c\xa6\xc2\x3d"
-			  "\x40\x15\xf9\xa3\x95\x64\x4c\x74"
-			  "\x8b\x73\x77\x33\x07\xa7\x04\x1d"
-			  "\x33\x5a\x7e\x8f\xbd\x86\x01\x4f"
-			  "\x3e\xb9\x27\x6f\xe2\x41\xf7\x09"
-			  "\x67\xfd\x29\x28\xc5\xe4\xf6\x18"
-			  "\x4c\x1b\x49\xb2\x9c\x5b\xf6\x81"
-			  "\x4f\xbb\x5c\xcc\x0b\xdf\x84\x23"
-			  "\x58\xd6\x28\x34\x93\x3a\x25\x97"
-			  "\xdf\xb2\xc3\x9e\x97\x38\x0b\x7d"
-			  "\x10\xb3\x54\x35\x23\x8c\x64\xee"
-			  "\xf0\xd8\x66\xff\x8b\x22\xd2\x5b"
-			  "\x05\x16\x3c\x89\xf7\xb1\x75\xaf"
-			  "\xc0\xae\x6a\x4f\x3f\xaf\x9a\xf4"
-			  "\xf4\x9a\x24\xd9\x80\x82\xc0\x12"
-			  "\xde\x96\xd1\xbe\x15\x0b\x8d\x6a"
-			  "\xd7\x12\xe4\x85\x9f\x83\xc9\xc3"
-			  "\xff\x0b\xb5\xaf\x3b\xd8\x6d\x67"
-			  "\x81\x45\xe6\xac\xec\xc1\x7b\x16"
-			  "\x18\x0a\xce\x4b\xc0\x2e\x76\xbc"
-			  "\x1b\xfa\xb4\x34\xb8\xfc\x3e\xc8"
-			  "\x5d\x90\x71\x6d\x7a\x79\xef\x06",
-		.ksize	= 1088,
-		.plaintext	= "\xaa\x5d\x54\xcb\xea\x1e\x46\x0f"
-			  "\x45\x87\x70\x51\x8a\x66\x7a\x33"
-			  "\xb4\x18\xff\xa9\x82\xf9\x45\x4b"
-			  "\x93\xae\x2e\x7f\xab\x98\xfe\xbf"
-			  "\x01\xee\xe5\xa0\x37\x8f\x57\xa6"
-			  "\xb0\x76\x0d\xa4\xd6\x28\x2b\x5d"
-			  "\xe1\x03\xd6\x1c\x6f\x34\x0d\xe7"
-			  "\x61\x2d\x2e\xe5\xae\x5d\x47\xc7"
-			  "\x80\x4b\x18\x8f\xa8\x99\xbc\x28"
-			  "\xed\x1d\x9d\x86\x7d\xd7\x41\xd1"
-			  "\xe0\x2b\xe1\x8c\x93\x2a\xa7\x80"
-			  "\xe1\x07\xa0\xa9\x9f\x8c\x8d\x1a"
-			  "\x55\xfc\x6b\x24\x7a\xbd\x3e\x51"
-			  "\x68\x4b\x26\x59\xc8\xa7\x16\xd9"
-			  "\xb9\x61\x13\xde\x8b\x63\x1c\xf6"
-			  "\x60\x01\xfb\x08\xb3\x5b\x0a\xbf"
-			  "\x34\x73\xda\x87\x87\x3d\x6f\x97"
-			  "\x4a\x0c\xa3\x58\x20\xa2\xc0\x81"
-			  "\x5b\x8c\xef\xa9\xc2\x01\x1e\x64"
-			  "\x83\x8c\xbc\x03\xb6\xd0\x29\x9f"
-			  "\x54\xe2\xce\x8b\xc2\x07\x85\x78"
-			  "\x25\x38\x96\x4c\xb4\xbe\x17\x4a"
-			  "\x65\xa6\xfa\x52\x9d\x66\x9d\x65"
-			  "\x4a\xd1\x01\x01\xf0\xcb\x13\xcc"
-			  "\xa5\x82\xf3\xf2\x66\xcd\x3f\x9d"
-			  "\xd1\xaa\xe4\x67\xea\xf2\xad\x88"
-			  "\x56\x76\xa7\x9b\x59\x3c\xb1\x5d"
-			  "\x78\xfd\x69\x79\x74\x78\x43\x26"
-			  "\x7b\xde\x3f\xf1\xf5\x4e\x14\xd9"
-			  "\x15\xf5\x75\xb5\x2e\x19\xf3\x0c"
-			  "\x48\x72\xd6\x71\x6d\x03\x6e\xaa"
-			  "\xa7\x08\xf9\xaa\x70\xa3\x0f\x4d"
-			  "\x12\x8a\xdd\xe3\x39\x73\x7e\xa7"
-			  "\xea\x1f\x6d\x06\x26\x2a\xf2\xc5"
-			  "\x52\xb4\xbf\xfd\x52\x0c\x06\x60"
-			  "\x90\xd1\xb2\x7b\x56\xae\xac\x58"
-			  "\x5a\x6b\x50\x2a\xf5\xe0\x30\x3c"
-			  "\x2a\x98\x0f\x1b\x5b\x0a\x84\x6c"
-			  "\x31\xae\x92\xe2\xd4\xbb\x7f\x59"
-			  "\x26\x10\xb9\x89\x37\x68\x26\xbf"
-			  "\x41\xc8\x49\xc4\x70\x35\x7d\xff"
-			  "\x2d\x7f\xf6\x8a\x93\x68\x8c\x78"
-			  "\x0d\x53\xce\x7d\xff\x7d\xfb\xae"
-			  "\x13\x1b\x75\xc4\x78\xd7\x71\xd8"
-			  "\xea\xd3\xf4\x9d\x95\x64\x8e\xb4"
-			  "\xde\xb8\xe4\xa6\x68\xc8\xae\x73"
-			  "\x58\xaf\xa8\xb0\x5a\x20\xde\x87"
-			  "\x43\xb9\x0f\xe3\xad\x41\x4b\xd5"
-			  "\xb7\xad\x16\x00\xa6\xff\xf6\x74"
-			  "\xbf\x8c\x9f\xb3\x58\x1b\xb6\x55"
-			  "\xa9\x90\x56\x28\xf0\xb5\x13\x4e"
-			  "\x9e\xf7\x25\x86\xe0\x07\x7b\x98"
-			  "\xd8\x60\x5d\x38\x95\x3c\xe4\x22"
-			  "\x16\x2f\xb2\xa2\xaf\xe8\x90\x17"
-			  "\xec\x11\x83\x1a\xf4\xa9\x26\xda"
-			  "\x39\x72\xf5\x94\x61\x05\x51\xec"
-			  "\xa8\x30\x8b\x2c\x13\xd0\x72\xac"
-			  "\xb9\xd2\xa0\x4c\x4b\x78\xe8\x6e"
-			  "\x04\x85\xe9\x04\x49\x82\x91\xff"
-			  "\x89\xe5\xab\x4c\xaa\x37\x03\x12"
-			  "\xca\x8b\x74\x10\xfd\x9e\xd9\x7b"
-			  "\xcb\xdb\x82\x6e\xce\x2e\x33\x39"
-			  "\xce\xd2\x84\x6e\x34\x71\x51\x6e"
-			  "\x0d\xd6\x01\x87\xc7\xfa\x0a\xd3"
-			  "\xad\x36\xf3\x4c\x9f\x96\x5e\x62"
-			  "\x62\x54\xc3\x03\x78\xd6\xab\xdd"
-			  "\x89\x73\x55\x25\x30\xf8\xa7\xe6"
-			  "\x4f\x11\x0c\x7c\x0a\xa1\x2b\x7b"
-			  "\x3d\x0d\xde\x81\xd4\x9d\x0b\xae"
-			  "\xdf\x00\xf9\x4c\xb6\x90\x8e\x16"
-			  "\xcb\x11\xc8\xd1\x2e\x73\x13\x75"
-			  "\x75\x3e\xaa\xf5\xee\x02\xb3\x18"
-			  "\xa6\x2d\xf5\x3b\x51\xd1\x1f\x47"
-			  "\x6b\x2c\xdb\xc4\x10\xe0\xc8\xba"
-			  "\x9d\xac\xb1\x9d\x75\xd5\x41\x0e"
-			  "\x7e\xbe\x18\x5b\xa4\x1f\xf8\x22"
-			  "\x4c\xc1\x68\xda\x6d\x51\x34\x6c"
-			  "\x19\x59\xec\xb5\xb1\xec\xa7\x03"
-			  "\xca\x54\x99\x63\x05\x6c\xb1\xac"
-			  "\x9c\x31\xd6\xdb\xba\x7b\x14\x12"
-			  "\x7a\xc3\x2f\xbf\x8d\xdc\x37\x46"
-			  "\xdb\xd2\xbc\xd4\x2f\xab\x30\xd5"
-			  "\xed\x34\x99\x8e\x83\x3e\xbe\x4c"
-			  "\x86\x79\x58\xe0\x33\x8d\x9a\xb8"
-			  "\xa9\xa6\x90\x46\xa2\x02\xb8\xdd"
-			  "\xf5\xf9\x1a\x5c\x8c\x01\xaa\x6e"
-			  "\xb4\x22\x12\xf5\x0c\x1b\x9b\x7a"
-			  "\xc3\x80\xf3\x06\x00\x5f\x30\xd5"
-			  "\x06\xdb\x7d\x82\xc2\xd4\x0b\x4c"
-			  "\x5f\xe9\xc5\xf5\xdf\x97\x12\xbf"
-			  "\x56\xaf\x9b\x69\xcd\xee\x30\xb4"
-			  "\xa8\x71\xff\x3e\x7d\x73\x7a\xb4"
-			  "\x0d\xa5\x46\x7a\xf3\xf4\x15\x87"
-			  "\x5d\x93\x2b\x8c\x37\x64\xb5\xdd"
-			  "\x48\xd1\xe5\x8c\xae\xd4\xf1\x76"
-			  "\xda\xf4\xba\x9e\x25\x0e\xad\xa3"
-			  "\x0d\x08\x7c\xa8\x82\x16\x8d\x90"
-			  "\x56\x40\x16\x84\xe7\x22\x53\x3a"
-			  "\x58\xbc\xb9\x8f\x33\xc8\xc2\x84"
-			  "\x22\xe6\x0d\xe7\xb3\xdc\x5d\xdf"
-			  "\xd7\x2a\x36\xe4\x16\x06\x07\xd2"
-			  "\x97\x60\xb2\xf5\x5e\x14\xc9\xfd"
-			  "\x8b\x05\xd1\xce\xee\x9a\x65\x99"
-			  "\xb7\xae\x19\xb7\xc8\xbc\xd5\xa2"
-			  "\x7b\x95\xe1\xcc\xba\x0d\xdc\x8a"
-			  "\x1d\x59\x52\x50\xaa\x16\x02\x82"
-			  "\xdf\x61\x33\x2e\x44\xce\x49\xc7"
-			  "\xe5\xc6\x2e\x76\xcf\x80\x52\xf0"
-			  "\x3d\x17\x34\x47\x3f\xd3\x80\x48"
-			  "\xa2\xba\xd5\xc7\x7b\x02\x28\xdb"
-			  "\xac\x44\xc7\x6e\x05\x5c\xc2\x79"
-			  "\xb3\x7d\x6a\x47\x77\x66\xf1\x38"
-			  "\xf0\xf5\x4f\x27\x1a\x31\xca\x6c"
-			  "\x72\x95\x92\x8e\x3f\xb0\xec\x1d"
-			  "\xc7\x2a\xff\x73\xee\xdf\x55\x80"
-			  "\x93\xd2\xbd\x34\xd3\x9f\x00\x51"
-			  "\xfb\x2e\x41\xba\x6c\x5a\x7c\x17"
-			  "\x7f\xe6\x70\xac\x8d\x39\x3f\x77"
-			  "\xe2\x23\xac\x8f\x72\x4e\xe4\x53"
-			  "\xcc\xf1\x1b\xf1\x35\xfe\x52\xa4"
-			  "\xd6\xb8\x40\x6b\xc1\xfd\xa0\xa1"
-			  "\xf5\x46\x65\xc2\x50\xbb\x43\xe2"
-			  "\xd1\x43\x28\x34\x74\xf5\x87\xa0"
-			  "\xf2\x5e\x27\x3b\x59\x2b\x3e\x49"
-			  "\xdf\x46\xee\xaf\x71\xd7\x32\x36"
-			  "\xc7\x14\x0b\x58\x6e\x3e\x2d\x41"
-			  "\xfa\x75\x66\x3a\x54\xe0\xb2\xb9"
-			  "\xaf\xdd\x04\x80\x15\x19\x3f\x6f"
-			  "\xce\x12\xb4\xd8\xe8\x89\x3c\x05"
-			  "\x30\xeb\xf3\x3d\xcd\x27\xec\xdc"
-			  "\x56\x70\x12\xcf\x78\x2b\x77\xbf"
-			  "\x22\xf0\x1b\x17\x9c\xcc\xd6\x1b"
-			  "\x2d\x3d\xa0\x3b\xd8\xc9\x70\xa4"
-			  "\x7a\x3e\x07\xb9\x06\xc3\xfa\xb0"
-			  "\x33\xee\xc1\xd8\xf6\xe0\xf0\xb2"
-			  "\x61\x12\x69\xb0\x5f\x28\x99\xda"
-			  "\xc3\x61\x48\xfa\x07\x16\x03\xc4"
-			  "\xa8\xe1\x3c\xe8\x0e\x64\x15\x30"
-			  "\xc1\x9d\x84\x2f\x73\x98\x0e\x3a"
-			  "\xf2\x86\x21\xa4\x9e\x1d\xb5\x86"
-			  "\x16\xdb\x2b\x9a\x06\x64\x8e\x79"
-			  "\x8d\x76\x3e\xc3\xc2\x64\x44\xe3"
-			  "\xda\xbc\x1a\x52\xd7\x61\x03\x65"
-			  "\x54\x32\x77\x01\xed\x9d\x8a\x43"
-			  "\x25\x24\xe3\xc1\xbe\xb8\x2f\xcb"
-			  "\x89\x14\x64\xab\xf6\xa0\x6e\x02"
-			  "\x57\xe4\x7d\xa9\x4e\x9a\x03\x36"
-			  "\xad\xf1\xb1\xfc\x0b\xe6\x79\x51"
-			  "\x9f\x81\x77\xc4\x14\x78\x9d\xbf"
-			  "\xb6\xd6\xa3\x8c\xba\x0b\x26\xe7"
-			  "\xc8\xb9\x5c\xcc\xe1\x5f\xd5\xc6"
-			  "\xc4\xca\xc2\xa3\x45\xba\x94\x13"
-			  "\xb2\x8f\xc3\x54\x01\x09\xe7\x8b"
-			  "\xda\x2a\x0a\x11\x02\x43\xcb\x57"
-			  "\xc9\xcc\xb5\x5c\xab\xc4\xec\x54"
-			  "\x00\x06\x34\xe1\x6e\x03\x89\x7c"
-			  "\xc6\xfb\x6a\xc7\x60\x43\xd6\xc5"
-			  "\xb5\x68\x72\x89\x8f\x42\xc3\x74"
-			  "\xbd\x25\xaa\x9f\x67\xb5\xdf\x26"
-			  "\x20\xe8\xb7\x01\x3c\xe4\x77\xce"
-			  "\xc4\x65\xa7\x23\x79\xea\x33\xc7"
-			  "\x82\x14\x5c\x82\xf2\x4e\x3d\xf6"
-			  "\xc6\x4a\x0e\x29\xbb\xec\x44\xcd"
-			  "\x2f\xd1\x4f\x21\x71\xa9\xce\x0f"
-			  "\x5c\xf2\x72\x5c\x08\x2e\x21\xd2"
-			  "\xc3\x29\x13\xd8\xac\xc3\xda\x13"
-			  "\x1a\x9d\xa7\x71\x1d\x27\x1d\x27"
-			  "\x1d\xea\xab\x44\x79\xad\xe5\xeb"
-			  "\xef\x1f\x22\x0a\x44\x4f\xcb\x87"
-			  "\xa7\x58\x71\x0e\x66\xf8\x60\xbf"
-			  "\x60\x74\x4a\xb4\xec\x2e\xfe\xd3"
-			  "\xf5\xb8\xfe\x46\x08\x50\x99\x6c"
-			  "\x66\xa5\xa8\x34\x44\xb5\xe5\xf0"
-			  "\xdd\x2c\x67\x4e\x35\x96\x8e\x67"
-			  "\x48\x3f\x5f\x37\x44\x60\x51\x2e"
-			  "\x14\x91\x5e\x57\xc3\x0e\x79\x77"
-			  "\x2f\x03\xf4\xe2\x1c\x72\xbf\x85"
-			  "\x5d\xd3\x17\xdf\x6c\xc5\x70\x24"
-			  "\x42\xdf\x51\x4e\x2a\xb2\xd2\x5b"
-			  "\x9e\x69\x83\x41\x11\xfe\x73\x22"
-			  "\xde\x8a\x9e\xd8\x8a\xfb\x20\x38"
-			  "\xd8\x47\x6f\xd5\xed\x8f\x41\xfd"
-			  "\x13\x7a\x18\x03\x7d\x0f\xcd\x7d"
-			  "\xa6\x7d\x31\x9e\xf1\x8f\x30\xa3"
-			  "\x8b\x4c\x24\xb7\xf5\x48\xd7\xd9"
-			  "\x12\xe7\x84\x97\x5c\x31\x6d\xfb"
-			  "\xdf\xf3\xd3\xd1\xd5\x0c\x30\x06"
-			  "\x01\x6a\xbc\x6c\x78\x7b\xa6\x50"
-			  "\xfa\x0f\x3c\x42\x2d\xa5\xa3\x3b"
-			  "\xcf\x62\x50\xff\x71\x6d\xe7\xda"
-			  "\x27\xab\xc6\x67\x16\x65\x68\x64"
-			  "\xc7\xd5\x5f\x81\xa9\xf6\x65\xb3"
-			  "\x5e\x43\x91\x16\xcd\x3d\x55\x37"
-			  "\x55\xb3\xf0\x28\xc5\x54\x19\xc0"
-			  "\xe0\xd6\x2a\x61\xd4\xc8\x72\x51"
-			  "\xe9\xa1\x7b\x48\x21\xad\x44\x09"
-			  "\xe4\x01\x61\x3c\x8a\x5b\xf9\xa1"
-			  "\x6e\x1b\xdf\xc0\x04\xa8\x8b\xf2"
-			  "\x21\xbe\x34\x7b\xfc\xa1\xcd\xc9"
-			  "\xa9\x96\xf4\xa4\x4c\xf7\x4e\x8f"
-			  "\x84\xcc\xd3\xa8\x92\x77\x8f\x36"
-			  "\xe2\x2e\x8c\x33\xe8\x84\xa6\x0c"
-			  "\x6c\x8a\xda\x14\x32\xc2\x96\xff"
-			  "\xc6\x4a\xc2\x9b\x30\x7f\xd1\x29"
-			  "\xc0\xd5\x78\x41\x00\x80\x80\x03"
-			  "\x2a\xb1\xde\x26\x03\x48\x49\xee"
-			  "\x57\x14\x76\x51\x3c\x36\x5d\x0a"
-			  "\x5c\x9f\xe8\xd8\x53\xdb\x4f\xd4"
-			  "\x38\xbf\x66\xc9\x75\x12\x18\x75"
-			  "\x34\x2d\x93\x22\x96\x51\x24\x6e"
-			  "\x4e\xd9\x30\xea\x67\xff\x92\x1c"
-			  "\x16\x26\xe9\xb5\x33\xab\x8c\x22"
-			  "\x47\xdb\xa0\x2c\x08\xf0\x12\x69"
-			  "\x7e\x93\x52\xda\xa5\xe5\xca\xc1"
-			  "\x0f\x55\x2a\xbd\x09\x30\x88\x1b"
-			  "\x9c\xc6\x9f\xe6\xdb\xa6\x92\xeb"
-			  "\xf4\xbd\x5c\xc4\xdb\xc6\x71\x09"
-			  "\xab\x5e\x48\x0c\xed\x6f\xda\x8e"
-			  "\x8d\x0c\x98\x71\x7d\x10\xd0\x9c"
-			  "\x20\x9b\x79\x53\x26\x5d\xb9\x85"
-			  "\x8a\x31\xb8\xc5\x1c\x97\xde\x88"
-			  "\x61\x55\x7f\x7c\x21\x06\xea\xc4"
-			  "\x5f\xaf\xf2\xf0\xd5\x5e\x7d\xb4"
-			  "\x6e\xcf\xe9\xae\x1b\x0e\x11\x80"
-			  "\xc1\x9a\x74\x7e\x52\x6f\xa0\xb7"
-			  "\x24\xcd\x8d\x0a\x11\x40\x63\x72"
-			  "\xfa\xe2\xc5\xb3\x94\xef\x29\xa2"
-			  "\x1a\x23\x43\x04\x37\x55\x0d\xe9"
-			  "\x83\xb2\x29\x51\x49\x64\xa0\xbd"
-			  "\xde\x73\xfd\xa5\x7c\x95\x70\x62"
-			  "\x58\xdc\xe2\xd0\xbf\x98\xf5\x8a"
-			  "\x6a\xfd\xce\xa8\x0e\x42\x2a\xeb"
-			  "\xd2\xff\x83\x27\x53\x5c\xa0\x6e"
-			  "\x93\xef\xe2\xb9\x5d\x35\xd6\x98"
-			  "\xf6\x71\x19\x7a\x54\xa1\xa7\xe8"
-			  "\x09\xfe\xf6\x9e\xc7\xbd\x3e\x29"
-			  "\xbd\x6b\x17\xf4\xe7\x3e\x10\x5c"
-			  "\xc1\xd2\x59\x4f\x4b\x12\x1a\x5b"
-			  "\x50\x80\x59\xb9\xec\x13\x66\xa8"
-			  "\xd2\x31\x7b\x6a\x61\x22\xdd\x7d"
-			  "\x61\xee\x87\x16\x46\x9f\xf9\xc7"
-			  "\x41\xee\x74\xf8\xd0\x96\x2c\x76"
-			  "\x2a\xac\x7d\x6e\x9f\x0e\x7f\x95"
-			  "\xfe\x50\x16\xb2\x23\xca\x62\xd5"
-			  "\x68\xcf\x07\x3f\x3f\x97\x85\x2a"
-			  "\x0c\x25\x45\xba\xdb\x32\xcb\x83"
-			  "\x8c\x4f\xe0\x6d\x9a\x99\xf9\xc9"
-			  "\xda\xd4\x19\x31\xc1\x7c\x6d\xd9"
-			  "\x9c\x56\xd3\xec\xc1\x81\x4c\xed"
-			  "\x28\x9d\x87\xeb\x19\xd7\x1a\x4f"
-			  "\x04\x6a\xcb\x1f\xcf\x1f\xa2\x16"
-			  "\xfc\x2a\x0d\xa1\x14\x2d\xfa\xc5"
-			  "\x5a\xd2\xc5\xf9\x19\x7c\x20\x1f"
-			  "\x2d\x10\xc0\x66\x7c\xd9\x2d\xe5"
-			  "\x88\x70\x59\xa7\x85\xd5\x2e\x7c"
-			  "\x5c\xe3\xb7\x12\xd6\x97\x3f\x29",
-		.psize	= 2048,
-		.digest	= "\x37\x90\x92\xc2\xeb\x01\x87\xd9"
-			  "\x95\xc7\x91\xc3\x17\x8b\x38\x52",
-	}
-};
-
-
 /*
  * DES test vectors.
  */
 static const struct cipher_testvec des_tv_template[] = {
 	{ /* From Applied Cryptography */
-- 
2.52.0

Re: [PATCH 11/12] crypto: testmgr - Remove nhpoly1305 tests

[Herbert Xu]

On Wed, Dec 10, 2025 at 05:18:43PM -0800, Eric Biggers wrote:
> These are no longer used, since nhpoly1305 support has been removed from
> the crypto_shash API.
> 
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
>  crypto/testmgr.c |    6 -
>  crypto/testmgr.h | 1372 ----------------------------------------------
>  2 files changed, 1378 deletions(-)

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH 12/12] fscrypt: Drop obsolete recommendation to enable optimized NHPoly1305

[Eric Biggers]

CONFIG_CRYPTO_NHPOLY1305_NEON, CONFIG_CRYPTO_NHPOLY1305_SSE2, and
CONFIG_CRYPTO_NHPOLY1305_AVX2 no longer exist.  The equivalent
optimizations are now just enabled automatically when Adiantum support
is enabled.  Update the fscrypt documentation accordingly.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 Documentation/filesystems/fscrypt.rst | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst
index 70af896822e1..c0dd35f1af12 100644
--- a/Documentation/filesystems/fscrypt.rst
+++ b/Documentation/filesystems/fscrypt.rst
@@ -453,15 +453,10 @@ API, but the filenames mode still does.
         - x86: CONFIG_CRYPTO_AES_NI_INTEL
 
 - Adiantum
     - Mandatory:
         - CONFIG_CRYPTO_ADIANTUM
-    - Recommended:
-        - arm32: CONFIG_CRYPTO_NHPOLY1305_NEON
-        - arm64: CONFIG_CRYPTO_NHPOLY1305_NEON
-        - x86: CONFIG_CRYPTO_NHPOLY1305_SSE2
-        - x86: CONFIG_CRYPTO_NHPOLY1305_AVX2
 
 - AES-128-CBC-ESSIV and AES-128-CBC-CTS:
     - Mandatory:
         - CONFIG_CRYPTO_ESSIV
         - CONFIG_CRYPTO_SHA256 or another SHA-256 implementation
-- 
2.52.0