Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2552936pxp; Tue, 22 Mar 2022 00:26:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw/xplvX76Rc//l0ccvGJtTAuDFSWbs0gYX9b5SM3ws7asWuRXTn4DNFzO0Qsw57OaMwV1J X-Received: by 2002:a17:902:e943:b0:14f:4a2b:203 with SMTP id b3-20020a170902e94300b0014f4a2b0203mr16721864pll.113.1647933991817; Tue, 22 Mar 2022 00:26:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647933991; cv=none; d=google.com; s=arc-20160816; b=nqhtFh326pq27Pwyrk6TQGcj2StB9RU7me6nKnRwY1xxU0z7E8IF95FKs8OHxBtquc zAQoWNjiYPOVtYgnMtwuAe5ycDkiD/VUfmmGRWeE4kYovoIpg8kfTmBP14Y5GIy1TkEW Um1onxM812MacuF8XzQARj1nG7Kiv46rlRz4HizdCZvsOPu3ujMZgHAavJJf/3wfhBXz pb6e88dA8v0sJMjv5L1fvrBXrrbkQruaBi65Hvg/3NdaLs9IKtOYQz3LCfwv0A4ylhpA Zo269JNgrWBIN8HJHVk50q2tmJAj7w9nCnwyfj7zQaC448hbjaeKps69aI+zFZfqrjTo 4S7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=zzBdBe+/X9Jb7LQ+Hvm3AeCmw6X91gRZdRfq9NrPNfE=; b=Iv91jM5xw8WXoAZPxTA9JKOuZrHAH7tCoJjAZkvWlD2nnOgZ43GsT7YlrV0RdMMrjs /GFiN5A6FADx1iSlVc4ItlptODMJD6o3tD+uz/wWAcONlNIMmFfVpWJDCSY5gkQUtIs4 arpCCSGd5lvHSj57vY4LHFcq/RfCaUMn36ZNVeJ1thMH6/NiFuHRh0QyFZ0g/nMja/bZ XDBBQTjFW6/zmFEEu3VKmO1P1BaPq37AE24upiVi7MJP+Xre1gVojeo0j//CGoDThFtu 46rgc3oT1uRJBjgd/ClK3+OEPS60KJ/xhFB2S4Eo1NOwwxLyuSZHcrltoveDdF4DU638 kqaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=iOwjqVf1; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id a24-20020a17090a481800b001c6d21e81f8si1401682pjh.110.2022.03.22.00.26.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Mar 2022 00:26:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=iOwjqVf1; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9B5CD2656; Tue, 22 Mar 2022 00:00:59 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237160AbiCVHCV (ORCPT + 99 others); Tue, 22 Mar 2022 03:02:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237151AbiCVHCT (ORCPT ); Tue, 22 Mar 2022 03:02:19 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF2D221A4 for ; Tue, 22 Mar 2022 00:00:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 1332FCE1CB1 for ; Tue, 22 Mar 2022 07:00:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 18A83C340EC; Tue, 22 Mar 2022 07:00:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1647932447; bh=yUcgnO83m6wpw6WaeePnlqcDePF0XZJ7jRcIVZ2+Jbg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=iOwjqVf1C2VN85JgSPne9cK3Q/5CbqGi0QU3tQriKAMeAPh3VllB2ePZjxNK3RdWA mB8K5Sh6OaIoHL2lIgRTaAbvdrxb148iGPKMSH8aAT7bSe1QXdcjM06ZGOTcdxIqNb NjZULbEMnls4SJUquZOswP3vy6tDP6g9hKTFom6tZePkqL/Q3KdclPySL/cjJmrb+b AkpsoZ81JHC2IwoeoFdBHdw1ofb1VoVUl9Kfn54uMD/B+lHxXyFVjHsR7WOGbSO6ZD IBTDW+R4wMnKOXjZSIMFcfuIl2MXKpdICp8E6C54rMsIMzCtSKFlsKFZ3IaCvAuU1o y2qdajpMhe4Fg== Date: Tue, 22 Mar 2022 00:00:45 -0700 From: Eric Biggers To: Nathan Huckleberry Cc: linux-crypto@vger.kernel.org, Herbert Xu , "David S. Miller" , linux-arm-kernel@lists.infradead.org, Paul Crowley , Sami Tolvanen , Ard Biesheuvel Subject: Re: [PATCH v3 3/8] crypto: hctr2 - Add HCTR2 support Message-ID: References: <20220315230035.3792663-1-nhuck@google.com> <20220315230035.3792663-4-nhuck@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220315230035.3792663-4-nhuck@google.com> X-Spam-Status: No, score=-3.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Mar 15, 2022 at 11:00:30PM +0000, Nathan Huckleberry wrote: > +struct hctr2_tfm_ctx { > + struct crypto_cipher *blockcipher; > + struct crypto_skcipher *xctr; > + struct crypto_shash *polyval; > + u8 L[BLOCKCIPHER_BLOCK_SIZE]; > +}; How about adding a comment at the end of the struct above that says that the struct is followed by the two exported_length_digests? (Or hashed_tweaklen, which is the name suggested in my suggested helper functions below?) > + > +struct hctr2_request_ctx { > + u8 first_block[BLOCKCIPHER_BLOCK_SIZE]; > + u8 xctr_iv[BLOCKCIPHER_BLOCK_SIZE]; > + struct scatterlist *bulk_part_dst; > + struct scatterlist *bulk_part_src; > + struct scatterlist sg_src[2]; > + struct scatterlist sg_dst[2]; > + /* Sub-requests, must be last */ > + union { > + struct shash_desc hash_desc; > + struct skcipher_request xctr_req; > + } u; > +}; Likewise above for the hashed tweak. Also how about adding inline functions or macros that return these new fields, so that the arithmetic to find them doesn't have to be duplicated in the code? The 'exported_length_digests' array local variables are a bit weird. Maybe just use some helper functions directly to get at the fields? How about: static inline u8 *hctr2_hashed_tweaklen(const struct hctr2_tfm_ctx *tctx, bool odd) { u8 *p = (u8 *)tctx + sizeof(*tctx); if (odd) /* For messages not a multiple of block length */ p += crypto_shash_statesize(tctx->polyval); return p; } static inline u8 *hctr2_hashed_tweak(const struct hctr2_tfm_ctx *tctx, struct hctr2_request_ctx *rctx) { return (u8 *)rctx + tctx->hashed_tweak_offset; } > +static int hctr2_setkey(struct crypto_skcipher *tfm, const u8 *key, > + unsigned int keylen) > +{ > + struct hctr2_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); > + u8 hbar[BLOCKCIPHER_BLOCK_SIZE]; > + __le64 tweak_length_block[2]; > + void *exported_length_digests[2]; > + SHASH_DESC_ON_STACK(shash, tfm->polyval); > + int err; > + > + exported_length_digests[0] = (u8 *)tctx + sizeof(*tctx); > + exported_length_digests[1] = (u8 *)tctx + sizeof(*tctx) + > + crypto_shash_descsize(tctx->polyval); The size needed by crypto_shash_export() is crypto_shash_statesize(), not crypto_shash_descsize(). They happen to be the same with all polyval implementations you've proposed, but it's not guaranteed for shash algorithms in general. > + crypto_cipher_clear_flags(tctx->blockcipher, CRYPTO_TFM_REQ_MASK); > + crypto_cipher_set_flags(tctx->blockcipher, > + crypto_skcipher_get_flags(tfm) & > + CRYPTO_TFM_REQ_MASK); > + err = crypto_cipher_setkey(tctx->blockcipher, key, keylen); > + if (err) > + return err; > + > + crypto_skcipher_clear_flags(tctx->xctr, CRYPTO_TFM_REQ_MASK); > + crypto_skcipher_set_flags(tctx->xctr, > + crypto_skcipher_get_flags(tfm) & > + CRYPTO_TFM_REQ_MASK); > + err = crypto_skcipher_setkey(tctx->xctr, key, keylen); > + if (err) > + return err; > + > + memset(tctx->L, 0, sizeof(tctx->L)); > + memset(hbar, 0, sizeof(hbar)); > + tctx->L[0] = 0x01; > + crypto_cipher_encrypt_one(tctx->blockcipher, tctx->L, tctx->L); > + crypto_cipher_encrypt_one(tctx->blockcipher, hbar, hbar); > + > + crypto_shash_clear_flags(tctx->polyval, CRYPTO_TFM_REQ_MASK); > + crypto_shash_set_flags(tctx->polyval, crypto_skcipher_get_flags(tfm) & > + CRYPTO_TFM_REQ_MASK); > + err = crypto_shash_setkey(tctx->polyval, hbar, BLOCKCIPHER_BLOCK_SIZE); > + if (err) > + return err; > + memzero_explicit(hbar, sizeof(hbar)); > + > + shash->tfm = tctx->polyval; > + memset(tweak_length_block, 0, sizeof(tweak_length_block)); > + > + tweak_length_block[0] = cpu_to_le64(TWEAK_SIZE * 8 * 2 + 2); > + err = crypto_shash_init(shash); > + if (err) > + return err; > + err = crypto_shash_update(shash, (u8 *)tweak_length_block, > + POLYVAL_BLOCK_SIZE); > + if (err) > + return err; > + err = crypto_shash_export(shash, exported_length_digests[0]); > + if (err) > + return err; > + > + tweak_length_block[0] = cpu_to_le64(TWEAK_SIZE * 8 * 2 + 3); > + err = crypto_shash_init(shash); > + if (err) > + return err; > + err = crypto_shash_update(shash, (u8 *)tweak_length_block, > + POLYVAL_BLOCK_SIZE); > + if (err) > + return err; > + return crypto_shash_export(shash, exported_length_digests[1]); > +} hctr2_setkey() is getting pretty long. How about splitting the tweak length pre-hashing into a helper function? Also, a comment that explains why the tweak length is being pre-hashed, and why it *can* be pre-hashed, would be helpful. Note that it is only possible because this implementation only supports one tweak length. - Eric