Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4221709imm;
        Mon, 15 Oct 2018 11:01:44 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60A+XsxAEIKIvgCCJNsBlO6Yj0/UEpuMFEm2gY35yBzIfXteGAuzFs9du9yzA4tlGrwM1Xq
X-Received: by 2002:a62:898d:: with SMTP id n13-v6mr18804020pfk.57.1539626503975;
        Mon, 15 Oct 2018 11:01:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539626503; cv=none;
        d=google.com; s=arc-20160816;
        b=cVa6ogqepe+QBYTK8MyPyYzeVgoeO/AbjasCfWGLN1HecUoJ83tzLWAf9jhFD0EClp
         RDAaRnKpDAFad9zr5dRA6+Ejl3QLD3W0uZIVDZEwHlvGEqV0pYNvgTInpUcjPY4iEnJq
         PUrltKJ8cgs0er1IMwcq8p+keZVGWmGj6hTSbUxPR6IZJLB/daAEXuS1/0F0/x+igRVb
         jPeGbv1QcITl81nYL0Ssu1Fjx+2WHG5Si1yaJ2/I2sotbj3UVlO4oYW6r12O81otUFQx
         NlvfWz/Kgr7D61PIf+1hWhj7kroeH/LaU/qowJDu/hf6oV311TGiHcGqeLTt09fdOi6C
         Z/oQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=pdxN+Lnq98Cg2e5NY/Vgh4NnfW/X1A4Mik5krzQDe/g=;
        b=PMRMlfWtTktvEYxXLd8YMYSeLfDGe2AZpXl37fmVHJtiz4+nUFgy5XeklF1prqF7GF
         XekNCWmKUNk/peD/zKbR4OhZTuu8od9SFQMXLpqaenV02cfx5owQJ86RwIKM3UjRzq0p
         L0NqaPeBtEsVLGvts1MqNefYLKyw48wrmgMlDhIUaS5JrABEqCg1z6ooRDotVQMnIrF9
         5rm0ciUI2v9JmFJ9H4HxzHkBD1LigBL4xKtRIKbgjAoR/dQUq/v0IBJbdQB0sGQJSW1o
         uEfFqFdnE/ZCad7GDmjT2yaS3GIgxpa+6O8SpQG+qOMwOVku4jhk2YRfqLt6Z2QDonJB
         WlVg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=atzAePuD;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g25-v6si10794809pfa.285.2018.10.15.11.01.27;
        Mon, 15 Oct 2018 11:01:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=atzAePuD;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727048AbeJPBne (ORCPT <rfc822;huangleihappily@gmail.com>
        + 99 others); Mon, 15 Oct 2018 21:43:34 -0400
Received: from mail.kernel.org ([198.145.29.99]:54072 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726821AbeJPBmu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Oct 2018 21:42:50 -0400
Received: from ebiggers-linuxstation.kir.corp.google.com (unknown [104.132.51.88])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 2F02221476;
        Mon, 15 Oct 2018 17:56:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539626192;
        bh=3UAgcJorP01gMeSZPj7lLGk2NrxNVMeHM2OIlzsI5jk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=atzAePuDCjGFRFBIjTidfvyXToeDkKmr85jXS9Kv1ZB09oPk8Nuk6SuJXxes3k9yi
         gLKIQpo6rRUSD9QWATqtEIFF0lrH1Zv71935nrnufGqE0rGbN/dc59TdZEz004kHum
         yHBDonh+GvgYOqEEK4fOqokbRWY3dJN2IMpfM+dQ=
From:   Eric Biggers <ebiggers@kernel.org>
To:     linux-crypto@vger.kernel.org
Cc:     linux-fscrypt@vger.kernel.org,
        linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Paul Crowley <paulcrowley@google.com>,
        Greg Kaiser <gkaiser@google.com>,
        Michael Halcrow <mhalcrow@google.com>,
        "Jason A . Donenfeld" <Jason@zx2c4.com>,
        Samuel Neves <samuel.c.p.neves@gmail.com>,
        Tomer Ashur <tomer.ashur@esat.kuleuven.be>
Subject: [RFC PATCH v2 07/12] crypto: arm/chacha - add XChaCha12 support
Date:   Mon, 15 Oct 2018 10:54:19 -0700
Message-Id: <20181015175424.97147-8-ebiggers@kernel.org>
X-Mailer: git-send-email 2.19.1.331.ge82ca0e54c-goog
In-Reply-To: <20181015175424.97147-1-ebiggers@kernel.org>
References: <20181015175424.97147-1-ebiggers@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

Now that the 32-bit ARM NEON implementation of ChaCha20 and XChaCha20
has been refactored to support varying the number of rounds, add support
for XChaCha12.  This is identical to XChaCha20 except for the number of
rounds, which is 12 instead of 20.

XChaCha12 is faster than XChaCha20 but has a lower security margin,
though still greater than AES-256's since the best known attacks make it
through only 7 rounds.  See the patch "crypto: chacha - add XChaCha12
support" for more details about why we need XChaCha12 support.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 arch/arm/crypto/Kconfig            |  2 +-
 arch/arm/crypto/chacha-neon-glue.c | 21 ++++++++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig
index 0aa1471f27d2e..cc932d9bba561 100644
--- a/arch/arm/crypto/Kconfig
+++ b/arch/arm/crypto/Kconfig
@@ -117,7 +117,7 @@ config CRYPTO_CRC32_ARM_CE
 	select CRYPTO_HASH
 
 config CRYPTO_CHACHA20_NEON
-	tristate "NEON accelerated ChaCha20 stream cipher algorithms"
+	tristate "NEON accelerated ChaCha stream cipher algorithms"
 	depends on KERNEL_MODE_NEON
 	select CRYPTO_BLKCIPHER
 	select CRYPTO_CHACHA20
diff --git a/arch/arm/crypto/chacha-neon-glue.c b/arch/arm/crypto/chacha-neon-glue.c
index b236af4889c61..0b1b238227707 100644
--- a/arch/arm/crypto/chacha-neon-glue.c
+++ b/arch/arm/crypto/chacha-neon-glue.c
@@ -1,5 +1,6 @@
 /*
- * ChaCha20 (RFC7539) and XChaCha20 stream ciphers, NEON accelerated
+ * ARM NEON accelerated ChaCha and XChaCha stream ciphers,
+ * including ChaCha20 (RFC7539)
  *
  * Copyright (C) 2016 Linaro, Ltd. <ard.biesheuvel@linaro.org>
  *
@@ -160,6 +161,22 @@ static struct skcipher_alg algs[] = {
 		.setkey			= crypto_chacha20_setkey,
 		.encrypt		= xchacha_neon,
 		.decrypt		= xchacha_neon,
+	}, {
+		.base.cra_name		= "xchacha12",
+		.base.cra_driver_name	= "xchacha12-neon",
+		.base.cra_priority	= 300,
+		.base.cra_blocksize	= 1,
+		.base.cra_ctxsize	= sizeof(struct chacha_ctx),
+		.base.cra_module	= THIS_MODULE,
+
+		.min_keysize		= CHACHA_KEY_SIZE,
+		.max_keysize		= CHACHA_KEY_SIZE,
+		.ivsize			= XCHACHA_IV_SIZE,
+		.chunksize		= CHACHA_BLOCK_SIZE,
+		.walksize		= 4 * CHACHA_BLOCK_SIZE,
+		.setkey			= crypto_chacha12_setkey,
+		.encrypt		= xchacha_neon,
+		.decrypt		= xchacha_neon,
 	}
 };
 
@@ -186,3 +203,5 @@ MODULE_ALIAS_CRYPTO("chacha20");
 MODULE_ALIAS_CRYPTO("chacha20-neon");
 MODULE_ALIAS_CRYPTO("xchacha20");
 MODULE_ALIAS_CRYPTO("xchacha20-neon");
+MODULE_ALIAS_CRYPTO("xchacha12");
+MODULE_ALIAS_CRYPTO("xchacha12-neon");
-- 
2.19.1.331.ge82ca0e54c-goog