On Wed, Dec 06, 2023 at 01:49:32PM +0800, Herbert Xu wrote: > +static int chacha_stream_xor(const struct chacha_ctx *ctx, const u8 *src, > + u8 *dst, unsigned nbytes, u8 *siv, u32 flags) In cryptography, siv normally stands for Synthetic Initialization Vector. I *think* that here you're having it stand for "state and IV", or something like that. Is there a better name for it? Maybe it should just be state? > -static int crypto_xchacha_crypt(struct skcipher_request *req) > +static int crypto_xchacha_crypt(struct crypto_lskcipher *tfm, const u8 *src, > + u8 *dst, unsigned nbytes, u8 *siv, u32 flags) > { > - struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); > - struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm); > + struct chacha_ctx *ctx = crypto_lskcipher_ctx(tfm); > struct chacha_ctx subctx; > - u32 state[16]; > - u8 real_iv[16]; > + u8 *real_iv; > + u32 *state; > > - /* Compute the subkey given the original key and first 128 nonce bits */ > - chacha_init_generic(state, ctx->key, req->iv); > - hchacha_block_generic(state, subctx.key, ctx->nrounds); > + real_iv = siv + XCHACHA_IV_SIZE; > + state = (u32 *)(real_iv + CHACHA_IV_SIZE); So the "siv" contains xchacha_iv || real_iv || state? That's 112 bytes, which is more than the 80 that's allocated for it. Isn't the state the only thing that actually needs to be carried forward? - Eric