Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1017727ybl; Wed, 11 Dec 2019 11:06:41 -0800 (PST) X-Google-Smtp-Source: APXvYqy9BtgsB4gOLpribXH3WIMhk0Qty1XnTrlIZsGx23+bdAV8PgAadcSHDVhn7NyVZ8aCflL9 X-Received: by 2002:a9d:58c9:: with SMTP id s9mr3225670oth.121.1576091201296; Wed, 11 Dec 2019 11:06:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576091201; cv=none; d=google.com; s=arc-20160816; b=XnoKT2zF2Lq0RroJRZKRkdw1JMQcav12eALjzf49+ULUiKR9OAlVwz7VZqC6wk6nax kse0pAyL68UcaF1CCSpnD2dz6lPEdQ7PK8a4HfSX09lYnKskdR+FPw0ppAzImTODHIob 1hhXXl6B4ZkF6ZVWpKrANlRbWlOrMD1AVqc7ZuPLl+B7rAIC21SHAIOrY9iMvGU2xb7Q RVb1nIBrm9DnMXxcu0VlHJlVTPBR/I7UbLOGGGiEyZBqsUUfLpUh6PeLQUYrACLjQ3fb 6GLSu6+6+Dys0Ldwyzql7O5I7wl4sAFKTqnOVR1N1BeQWDjXF92c2PoQ0ZDo0asUBpdb x4yQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=8HQssg2Zmi55TYYH9HtEPl5/nRk4fMGEdA4sW4zw7p8=; b=QXHpS9Wfw79t1zvRxMmRNdwscUWtUj22xoCHJeNcBPeRxLO9JBsewcT2CuRMjI9ikX Oc5IHfMabLPkthUM19ICOlWAFVyeCnpyCzTV+/on7unyJlYr1xcdr3py/kceb0Rblmd5 YGKqFDpcL6/AuH54e6aK6J1jqXLHCI7kxQDWveiEJtp2XkgSRFfbMVmI30LByxSr7h1e Z1alIsMz2p7D23KMz3lUHigm0XCEtlvh74k9DwEx3YpAk/h/mBJzgDuuNjRdRbWTpXH1 PO6JILgS29k89+oADrV8ZuNjJCdXG8AtfW60nj2qSkFeTquoXgduo81W0LPEDGAXUqc3 EaxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zv2l5KgA; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q9si1786902oth.93.2019.12.11.11.06.20; Wed, 11 Dec 2019 11:06:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zv2l5KgA; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726595AbfLKTGT (ORCPT + 99 others); Wed, 11 Dec 2019 14:06:19 -0500 Received: from mail.kernel.org ([198.145.29.99]:49650 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727096AbfLKTGT (ORCPT ); Wed, 11 Dec 2019 14:06:19 -0500 Received: from gmail.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 664C320836; Wed, 11 Dec 2019 19:06:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576091178; bh=LkOzKJFV2DBa/4avtVwHZDrQXWd514uVebIpA+Rk054=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=zv2l5KgAlmc6pV5Q/dkBdhby8aA/OrSI7doA5ZH4w+3TTSajouYU4JSeFoDB0Gzqr MZc1H0kVwY8Yhsbpe+yKfiDlHelWnYbm9ll7n8kP6pJvfNRsQJNnfBzgt8Sg1s7+du 1LPH2Xz3kc95nNCi00RSQTawNlfDyLKqQzq5Tpao= Date: Wed, 11 Dec 2019 11:06:16 -0800 From: Eric Biggers To: "Jason A. Donenfeld" Cc: linux-crypto@vger.kernel.org Subject: Re: [PATCH crypto-next v1] crypto: poly1305 - add new 32 and 64-bit generic versions Message-ID: <20191211190615.GC82952@gmail.com> References: <20191211170936.385572-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20191211170936.385572-1-Jason@zx2c4.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Dec 11, 2019 at 06:09:36PM +0100, Jason A. Donenfeld wrote: > These two C implementations from Zinc -- a 32x32 one and a 64x64 one, > depending on the platform -- come from Andrew Moon's public domain > poly1305-donna portable code, modified for usage in the kernel. The > precomputation in the 32-bit version and the use of 64x64 multiplies in > the 64-bit version make these perform better than the code it replaces. > Moon's code is also very widespread and has received many eyeballs of > scrutiny. Isn't the existing implementation in the kernel already based on the 32x32 code from Andrew Moon? Can you elaborate on how the new code is different? > > There's a bit of interference between the x86 implementation, which > relies on internal details of the old scalar implementation. Soon the > x86 implementation will be replaced with a faster one that doesn't rely > on this, but for now, we inline the bits of the old implementation that > the x86 implementation relied on. Also, since we now support a slightly > larger key space, via the union, some offsets had to be fixed up. > > Nonce calculation was folded in with the emit function, to take > advantage of 64x64 arithmetic. However, Adiantum appeared to rely on no > nonce handling in emit, so this path was conditionalized. I don't have > an Adiantum rig handy, so I'd appreciate a review from somebody who does > and can make sure this doesn't break it. > > Signed-off-by: Jason A. Donenfeld > Cc: Eric Biggers You can run the self-tests. But I tried and it doesn't get past nhpoly1305: [ 0.856458] alg: shash: nhpoly1305-generic test failed (wrong result) on test vector 1, cfg="init+update+final aligned buffer" > diff --git a/include/crypto/internal/poly1305.h b/include/crypto/internal/poly1305.h > index 479b0cab2a1a..6e275d3e5969 100644 > --- a/include/crypto/internal/poly1305.h > +++ b/include/crypto/internal/poly1305.h > @@ -24,35 +24,7 @@ static inline void poly1305_core_init(struct poly1305_state *state) > void poly1305_core_blocks(struct poly1305_state *state, > const struct poly1305_key *key, const void *src, > unsigned int nblocks, u32 hibit); > -void poly1305_core_emit(const struct poly1305_state *state, void *dst); > - > -/* > - * Poly1305 requires a unique key for each tag, which implies that we can't set > - * it on the tfm that gets accessed by multiple users simultaneously. Instead we > - * expect the key as the first 32 bytes in the update() call. > - */ > -static inline > -unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx, > - const u8 *src, unsigned int srclen) > -{ > - if (!dctx->sset) { > - if (!dctx->rset && srclen >= POLY1305_BLOCK_SIZE) { > - poly1305_core_setkey(dctx->r, src); > - src += POLY1305_BLOCK_SIZE; > - srclen -= POLY1305_BLOCK_SIZE; > - dctx->rset = 1; > - } > - if (srclen >= POLY1305_BLOCK_SIZE) { > - dctx->s[0] = get_unaligned_le32(src + 0); > - dctx->s[1] = get_unaligned_le32(src + 4); > - dctx->s[2] = get_unaligned_le32(src + 8); > - dctx->s[3] = get_unaligned_le32(src + 12); > - src += POLY1305_BLOCK_SIZE; > - srclen -= POLY1305_BLOCK_SIZE; > - dctx->sset = true; > - } > - } > - return srclen; > -} > +void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4], > + void *dst); Adding nonce support here makes the comment above this code outdated. /* * Poly1305 core functions. These implement the ε-almost-∆-universal hash * function underlying the Poly1305 MAC, i.e. they don't add an encrypted nonce * ("s key") at the end. They also only support block-aligned inputs. */ > diff --git a/include/crypto/poly1305.h b/include/crypto/poly1305.h > index 74c6e1cd73ee..dec2bd6b5aee 100644 > --- a/include/crypto/poly1305.h > +++ b/include/crypto/poly1305.h > @@ -14,11 +14,17 @@ > #define POLY1305_DIGEST_SIZE 16 > > struct poly1305_key { > - u32 r[5]; /* key, base 2^26 */ > + union { > + u32 r[5]; /* key, base 2^26 */ > + u64 r64[3]; > + }; > }; > > struct poly1305_state { > - u32 h[5]; /* accumulator, base 2^26 */ > + union { > + u32 h[5]; /* accumulator, base 2^26 */ > + u64 h64[3]; > + }; > }; It would be helpful to include comments for the r64 and h64 fields, like there are for the r and h fields. What base is being used? > diff --git a/lib/crypto/poly1305-donna32.c b/lib/crypto/poly1305-donna32.c > new file mode 100644 > index 000000000000..39b3fde68dcf > --- /dev/null > +++ b/lib/crypto/poly1305-donna32.c > @@ -0,0 +1,204 @@ > +// SPDX-License-Identifier: GPL-2.0 OR MIT > +/* > + * Copyright (C) 2015-2019 Jason A. Donenfeld . All Rights Reserved. > + * > + * This is based in part on Andrew Moon's poly1305-donna, which is in the > + * public domain. > + */ > + > +#include > +#include > +#include > + > +void poly1305_core_setkey(struct poly1305_key *key, const u8 raw_key[16]) > +{ > + /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ > + key[0].r[0] = (get_unaligned_le32(&raw_key[0])) & 0x3ffffff; > + key[0].r[1] = (get_unaligned_le32(&raw_key[3]) >> 2) & 0x3ffff03; > + key[0].r[2] = (get_unaligned_le32(&raw_key[6]) >> 4) & 0x3ffc0ff; > + key[0].r[3] = (get_unaligned_le32(&raw_key[9]) >> 6) & 0x3f03fff; > + key[0].r[4] = (get_unaligned_le32(&raw_key[12]) >> 8) & 0x00fffff; > + > + /* s = 5*r */ > + key[1].r[0] = key[0].r[1] * 5; > + key[1].r[1] = key[0].r[2] * 5; > + key[1].r[2] = key[0].r[3] * 5; > + key[1].r[3] = key[0].r[4] * 5; > +} > +EXPORT_SYMBOL(poly1305_core_setkey); This assumes the struct poly1305_key is actually part of an array. This is probably what's causing the self-tests to fail, since some callers provide only a single struct poly1305_key. Shouldn't this detail be hidden in struct poly1305_key? Or at least the functions should take 'struct poly1305_key key[2]' to make this assumption explicit. - Eric