From: Eric Biggers <ebiggers@kernel.org>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: "open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Greg Kaiser <gkaiser@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Samuel Neves <samuel.c.p.neves@gmail.com>,
Michael Halcrow <mhalcrow@google.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-fscrypt@vger.kernel.org,
Tomer Ashur <tomer.ashur@esat.kuleuven.be>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
Paul Crowley <paulcrowley@google.com>
Subject: Re: [RFC PATCH v2 04/12] crypto: chacha - add XChaCha12 support
Date: Fri, 19 Oct 2018 11:28:05 -0700 [thread overview]
Message-ID: <20181019182804.GA246441@gmail.com> (raw)
In-Reply-To: <CAKv+Gu_wVmnEND3MGTG7bqqynbBqyzmE_gTmqZfrT551_n9Hmw@mail.gmail.com>
Hi Ard,
On Fri, Oct 19, 2018 at 10:34:41PM +0800, Ard Biesheuvel wrote:
> > diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h
> > index ae79e9983c72f..3d261f5cd156d 100644
> > --- a/include/crypto/chacha.h
> > +++ b/include/crypto/chacha.h
> > @@ -5,6 +5,11 @@
> > * XChaCha extends ChaCha's nonce to 192 bits, while provably retaining ChaCha's
> > * security. Here they share the same key size, tfm context, and setkey
> > * function; only their IV size and encrypt/decrypt function differ.
> > + *
> > + * The ChaCha paper specifies 20, 12, and 8-round variants. In general, it is
> > + * recommended to use the 20-round variant ChaCha20. However, the other
> > + * variants can be needed in some performance-sensitive scenarios. The generic
> > + * ChaCha code currently allows only the 20 and 12-round variants.
> > */
> >
> > #ifndef _CRYPTO_CHACHA_H
> > @@ -39,6 +44,8 @@ void crypto_chacha_init(u32 *state, struct chacha_ctx *ctx, u8 *iv);
> >
> > int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
> > unsigned int keysize);
> > +int crypto_chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
> > + unsigned int keysize);
> >
> > int crypto_chacha_crypt(struct skcipher_request *req);
> > int crypto_xchacha_crypt(struct skcipher_request *req);
> > diff --git a/lib/chacha.c b/lib/chacha.c
> > index 0a2c2e5b7b84d..c4d69a83fcd2d 100644
> > --- a/lib/chacha.c
> > +++ b/lib/chacha.c
> > @@ -21,7 +21,7 @@ static void chacha_permute(u32 *x, int nrounds)
> > int i;
> >
> > /* whitelist the allowed round counts */
> > - BUG_ON(nrounds != 20);
> > + BUG_ON(nrounds != 20 && nrounds != 12);
> >
>
> I didn't spot this until this patch, but BUG_ON() may bring down the
> kernel, and so it should really only be used as a last resort. (i.e.,
> if this is called from non-process context things may explode rather
> painfully)
>
> I didn't look at the entire file [which is a bit cumbersome while
> reviewing incremental changes like this] and so I don't really have
> another suggestion right now, but please try to come up with something
> better if you can.
>
I'll change it to WARN_ON_ONCE(), I guess. I do still want it to be very noisy
if something fishy is going on with the round count.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiggers@kernel.org (Eric Biggers)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC PATCH v2 04/12] crypto: chacha - add XChaCha12 support
Date: Fri, 19 Oct 2018 11:28:05 -0700 [thread overview]
Message-ID: <20181019182804.GA246441@gmail.com> (raw)
In-Reply-To: <CAKv+Gu_wVmnEND3MGTG7bqqynbBqyzmE_gTmqZfrT551_n9Hmw@mail.gmail.com>
Hi Ard,
On Fri, Oct 19, 2018 at 10:34:41PM +0800, Ard Biesheuvel wrote:
> > diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h
> > index ae79e9983c72f..3d261f5cd156d 100644
> > --- a/include/crypto/chacha.h
> > +++ b/include/crypto/chacha.h
> > @@ -5,6 +5,11 @@
> > * XChaCha extends ChaCha's nonce to 192 bits, while provably retaining ChaCha's
> > * security. Here they share the same key size, tfm context, and setkey
> > * function; only their IV size and encrypt/decrypt function differ.
> > + *
> > + * The ChaCha paper specifies 20, 12, and 8-round variants. In general, it is
> > + * recommended to use the 20-round variant ChaCha20. However, the other
> > + * variants can be needed in some performance-sensitive scenarios. The generic
> > + * ChaCha code currently allows only the 20 and 12-round variants.
> > */
> >
> > #ifndef _CRYPTO_CHACHA_H
> > @@ -39,6 +44,8 @@ void crypto_chacha_init(u32 *state, struct chacha_ctx *ctx, u8 *iv);
> >
> > int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
> > unsigned int keysize);
> > +int crypto_chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
> > + unsigned int keysize);
> >
> > int crypto_chacha_crypt(struct skcipher_request *req);
> > int crypto_xchacha_crypt(struct skcipher_request *req);
> > diff --git a/lib/chacha.c b/lib/chacha.c
> > index 0a2c2e5b7b84d..c4d69a83fcd2d 100644
> > --- a/lib/chacha.c
> > +++ b/lib/chacha.c
> > @@ -21,7 +21,7 @@ static void chacha_permute(u32 *x, int nrounds)
> > int i;
> >
> > /* whitelist the allowed round counts */
> > - BUG_ON(nrounds != 20);
> > + BUG_ON(nrounds != 20 && nrounds != 12);
> >
>
> I didn't spot this until this patch, but BUG_ON() may bring down the
> kernel, and so it should really only be used as a last resort. (i.e.,
> if this is called from non-process context things may explode rather
> painfully)
>
> I didn't look at the entire file [which is a bit cumbersome while
> reviewing incremental changes like this] and so I don't really have
> another suggestion right now, but please try to come up with something
> better if you can.
>
I'll change it to WARN_ON_ONCE(), I guess. I do still want it to be very noisy
if something fishy is going on with the round count.
- Eric
next prev parent reply other threads:[~2018-10-20 2:35 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-15 17:54 [RFC PATCH v2 00/12] crypto: Adiantum support Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-15 17:54 ` [RFC PATCH v2 01/12] crypto: chacha20-generic - add HChaCha20 library function Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-19 14:13 ` Ard Biesheuvel
2018-10-19 14:13 ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 02/12] crypto: chacha20-generic - add XChaCha20 support Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-19 14:24 ` Ard Biesheuvel
2018-10-19 14:24 ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 03/12] crypto: chacha20-generic - refactor to allow varying number of rounds Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-19 14:25 ` Ard Biesheuvel
2018-10-19 14:25 ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 04/12] crypto: chacha - add XChaCha12 support Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-19 14:34 ` Ard Biesheuvel
2018-10-19 14:34 ` Ard Biesheuvel
2018-10-19 18:28 ` Eric Biggers [this message]
2018-10-19 18:28 ` Eric Biggers
2018-10-15 17:54 ` [RFC PATCH v2 05/12] crypto: arm/chacha20 - add XChaCha20 support Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-20 2:29 ` Ard Biesheuvel
2018-10-20 2:29 ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 06/12] crypto: arm/chacha20 - refactor to allow varying number of rounds Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-20 3:35 ` Ard Biesheuvel
2018-10-20 3:35 ` Ard Biesheuvel
2018-10-20 5:26 ` Eric Biggers
2018-10-20 5:26 ` Eric Biggers
2018-10-15 17:54 ` [RFC PATCH v2 07/12] crypto: arm/chacha - add XChaCha12 support Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-20 3:36 ` Ard Biesheuvel
2018-10-20 3:36 ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 08/12] crypto: poly1305 - add Poly1305 core API Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-20 3:45 ` Ard Biesheuvel
2018-10-20 3:45 ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 09/12] crypto: nhpoly1305 - add NHPoly1305 support Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-20 4:00 ` Ard Biesheuvel
2018-10-20 4:00 ` Ard Biesheuvel
2018-10-20 5:38 ` Eric Biggers
2018-10-20 5:38 ` Eric Biggers
2018-10-20 15:06 ` Ard Biesheuvel
2018-10-20 15:06 ` Ard Biesheuvel
2018-10-22 18:42 ` Eric Biggers
2018-10-22 18:42 ` Eric Biggers
2018-10-22 22:25 ` Ard Biesheuvel
2018-10-22 22:25 ` Ard Biesheuvel
2018-10-22 22:40 ` Eric Biggers
2018-10-22 22:40 ` Eric Biggers
2018-10-22 22:43 ` Ard Biesheuvel
2018-10-22 22:43 ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 10/12] crypto: arm/nhpoly1305 - add NEON-accelerated NHPoly1305 Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-20 4:12 ` Ard Biesheuvel
2018-10-20 4:12 ` Ard Biesheuvel
2018-10-20 5:51 ` Eric Biggers
2018-10-20 5:51 ` Eric Biggers
2018-10-20 15:00 ` Ard Biesheuvel
2018-10-20 15:00 ` Ard Biesheuvel
2018-10-15 17:54 ` [RFC PATCH v2 11/12] crypto: adiantum - add Adiantum support Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-20 4:17 ` Ard Biesheuvel
2018-10-20 4:17 ` Ard Biesheuvel
2018-10-20 7:12 ` Eric Biggers
2018-10-20 7:12 ` Eric Biggers
2018-10-23 10:40 ` Ard Biesheuvel
2018-10-23 10:40 ` Ard Biesheuvel
2018-10-24 22:06 ` Eric Biggers
2018-10-24 22:06 ` Eric Biggers
2018-10-30 8:17 ` Herbert Xu
2018-10-30 8:17 ` Herbert Xu
2018-10-15 17:54 ` [RFC PATCH v2 12/12] fscrypt: " Eric Biggers
2018-10-15 17:54 ` Eric Biggers
2018-10-19 15:58 ` [RFC PATCH v2 00/12] crypto: " Jason A. Donenfeld
2018-10-19 15:58 ` Jason A. Donenfeld
2018-10-19 18:19 ` Paul Crowley
2018-10-19 18:19 ` Paul Crowley
2018-10-20 3:24 ` Ard Biesheuvel
2018-10-20 3:24 ` Ard Biesheuvel
2018-10-20 5:22 ` Eric Biggers
2018-10-20 5:22 ` Eric Biggers
2018-10-22 10:19 ` Tomer Ashur
2018-10-22 11:20 ` Tomer Ashur
2018-10-22 11:20 ` Tomer Ashur
2018-10-19 19:04 ` Eric Biggers
2018-10-19 19:04 ` Eric Biggers
2018-10-20 10:26 ` Milan Broz
2018-10-20 10:26 ` Milan Broz
2018-10-20 13:47 ` Jason A. Donenfeld
2018-10-20 13:47 ` Jason A. Donenfeld
2018-11-16 21:52 ` Eric Biggers
2018-11-16 21:52 ` Eric Biggers
2018-11-17 10:29 ` Milan Broz
2018-11-17 10:29 ` Milan Broz
2018-11-19 19:28 ` Eric Biggers
2018-11-19 19:28 ` Eric Biggers
2018-11-19 20:05 ` Milan Broz
2018-11-19 20:05 ` Milan Broz
2018-11-19 20:30 ` Jason A. Donenfeld
2018-11-19 20:30 ` Jason A. Donenfeld
2018-10-21 22:23 ` Eric Biggers
2018-10-21 22:23 ` Eric Biggers
2018-10-21 22:51 ` Jason A. Donenfeld
2018-10-21 22:51 ` Jason A. Donenfeld
2018-10-22 17:17 ` Paul Crowley
2018-10-22 17:17 ` Paul Crowley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181019182804.GA246441@gmail.com \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ard.biesheuvel@linaro.org \
--cc=gkaiser@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=paulcrowley@google.com \
--cc=samuel.c.p.neves@gmail.com \
--cc=tomer.ashur@esat.kuleuven.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.