Re: [PATCH 2/2] crypto: blake2s - use memcpy_and_pad in __blake2s_init

[Eric Biggers <ebiggers@kernel.org>]

On Wed, Apr 15, 2026 at 02:56:11PM +0200, Thorsten Blum wrote:
> On Tue, Apr 14, 2026 at 10:39:15AM -0700, Eric Biggers wrote:
> > On Tue, Apr 14, 2026 at 05:49:04PM +0200, Thorsten Blum wrote:
> > > Use memcpy_and_pad() instead of memcpy() followed by memset() to
> > > simplify __blake2s_init(). Use sizeof(ctx->buf) instead of the macro
> > > BLAKE2S_BLOCK_SIZE.
> > > 
> > > Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
> > > ---
> > >  include/crypto/blake2s.h | 5 ++---
> > >  1 file changed, 2 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/include/crypto/blake2s.h b/include/crypto/blake2s.h
> > > index 648cb7824358..f0e0ce0b30a5 100644
> > > --- a/include/crypto/blake2s.h
> > > +++ b/include/crypto/blake2s.h
> > > @@ -70,9 +70,8 @@ static inline void __blake2s_init(struct blake2s_ctx *ctx, size_t outlen,
> > >  	ctx->buflen = 0;
> > >  	ctx->outlen = outlen;
> > >  	if (keylen) {
> > > -		memcpy(ctx->buf, key, keylen);
> > > -		memset(&ctx->buf[keylen], 0, BLAKE2S_BLOCK_SIZE - keylen);
> > > -		ctx->buflen = BLAKE2S_BLOCK_SIZE;
> > > +		memcpy_and_pad(ctx->buf, sizeof(ctx->buf), key, keylen, 0);
> > > +		ctx->buflen = sizeof(ctx->buf);
> > 
> > I'm wondering if this is actually better.  It's another helper function
> > to remember.  Also 'keylen' can be a compile-time constant here, and
> > compilers know what memcpy() and memset() do, so they will optimize the
> > code accordingly.  The helper function takes away the compiler's ability
> > to perform this optimization.  If this was already an out-of-line
> > function, it would be a bit more convincing.
> 
> My motivation was readability/maintainability and avoiding the manual
> tail-size arithmetic.  memcpy_and_pad() is just a thin wrapper around
> memcpy()/memset(), with an additional safety check to prevent integer
> wraparound.
> 
> Currently, nothing stops __blake2s_init() or blake2s_init_key() from
> being called with keylen > BLAKE2S_BLOCK_SIZE. The WARN_ON() in
> blake2s_init_key() is only available in DEBUG builds.
> 
> That said, happy to drop the patch if the explicit version is preferred
> for performance reasons.

I think the memcpy_and_pad() variant is *less* readable for most people.
memcpy_and_pad() isn't widely known, so people have to jump to the
definition to understand what it does.

Of course, we do create helper functions all the time when they are
helpful.  This one just doesn't seem all that helpful here, I'm afraid.

As for keylen > BLAKE2S_KEY_SIZE, that would be a usage error, which
would need to be found and fixed.  It certainly shouldn't be silently
truncated.  It looks like if this were to happen (currently it doesn't),
the current code would do memcpy with an underflowed value, which would
crash, similar to a BUG_ON().  That's actually better than the silent
truncation you're proposing, as it allows the problem to be found and
fixed.  If we add the truncation, it should at least be noisy:

        if (WARN_ON(keylen > BLAKE2S_KEY_SIZE))                                  
                keylen = BLAKE2S_KEY_SIZE;

- Eric