From: Pascal Van Leeuwen <pvanleeuwen@insidesecure.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Eric Biggers <ebiggers@kernel.org>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>
Subject: RE: another testmgr question
Date: Fri, 24 May 2019 07:47:06 +0000 [thread overview]
Message-ID: <AM6PR09MB3523A3C44CFE5C83746B6136D2020@AM6PR09MB3523.eurprd09.prod.outlook.com> (raw)
In-Reply-To: <CAKv+Gu9F8EcDE8GRSyHFUh_pPXPJDziw7hXO=G4nA31PomDZ1g@mail.gmail.com>
> > Valid? A totally fabricated case, if you ask me. Yes, you could do that,
> > but is it *useful* at all? Really?
>
> Yes, really. The likelihood of a test vector occurring in practice is
> entirely irrelevant. What matters is that the test vectors provide
> known outputs for known inputs, and many algorithm specifications
> explicitly contain the empty message as one of the documented test
> vectors.
>
I wholeheartedly disagree - in the context of hardware design, anyway.
When you implement something, you care about practicle usability.
Wasting gates / timing / power / cycles / whatever on something that
has no use relevant use case is just silly. (In the particular case of
zero length messages, this is not so trivial to implement in a data
driven HW architecture! Data driven ... But no data ...)
As long as you properly specify your hardware's limitations, it should
not need to be an issue. If the HW doesn't match your use case, then
don't use it for that ... HW almost always has such limitations.
For FIPS certification, zero length vectors are considered *optional*.
Probably because they realized most HW out there can't do it ...
> In fact, given the above, I am slightly shocked that your hardware
> does not handle empty messages correctly. Are you sure it is a
> hardware problem and not a driver problem?
>
As a matter of fact, pretty sure, yeah, as I'm actually "the HW guy".
Nothing really shocking about that. We mainly do network protocol
acceleration anyway, being able to do some basic operations is just a
bonus. We do specify very extensively what we can and cannot support.
> In any case, as Eric points out as well, nothing is stopping you from
> adding a special case to your driver that falls back to the software
> implementation for known broken test cases.
>
Sure. But my point is that you end up with a driver full of special cases.
Which is just bloat slowing it down and blowing it up.
Besides, in order to be able to fallback to software for this case
I would have to maintain a shadow software context for *every* HW context
just because someone *might* do some zero length operation somewhere in
the future. Because by the time the context is established (setkey),
I cannot predict that I will get such a zero length request yet. Yuck.
> Removing test cases from the set because of broken hardware is out of
> the question IMO. It doesn't actually fix the problem, and it may
> actually result in breakage, especially for h/w accelerated crypto
> exposed to userland, of which we have no idea whatsoever how it is
> being used, and whether correct handling of zero length vectors is
> likely to break anything or not.
>
The driver could check for it and return an -EINVAL error code.
That would not break anything besides the application itself trying
to do this. Which could then fail gracefully.
> > No, it's not because a file of length 0 is a file of length 0, the length
> > in itself is sufficient guarantee of its contents. The hash does not add
> > *anything* in this case. It's a constant anyway, the same value for *any*
> > zero-length file. It doesn't tell you anything you didn't already know.
> > IMHO the tool should just return a message stating "hashing an empty file
> > does not make any sense at all ...".
> >
>
> You are making assumptions about how the crypto is being used at a
> higher level. Eric's example may not make sense to you, but arguing
> that *any* use of sha256sum on empty files is guaranteed to be
> non-sensical in all imaginable cases is ridiculous.
>
Actually, the thought occurred to me in the shower this morning that that
*might* be useful in case you don't have expectations of the length
whatsoever and only know the expected sum. In which case that would
validate that a zero-length file is indeed what you should have ...
Still - is that something the crypto API is *currently* being used for?
And if not, do we ever *intend* to use it for something like that?
If not, then we could just specify it to be illegal such that no one
would ever attempt to do it. You have that freedom as long as there are
no existing applications depending on it ...
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines
Tel. : +31 (0)73 65 81 900
www.insidesecure.com
next prev parent reply other threads:[~2019-05-24 7:47 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AM6PR09MB3523CED0B1587FCBDE4095A0D2010@AM6PR09MB3523.eurprd09.prod.outlook.com>
[not found] ` <20190523185833.GA243994@google.com>
2019-05-23 19:32 ` another testmgr question Pascal Van Leeuwen
2019-05-23 20:05 ` Eric Biggers
2019-05-23 21:43 ` Pascal Van Leeuwen
2019-05-23 23:48 ` Eric Biggers
2019-05-24 8:44 ` Pascal Van Leeuwen
2019-05-24 8:46 ` Christophe Leroy
2019-05-24 8:49 ` Jeffrey Walton
2019-05-24 9:42 ` Pascal Van Leeuwen
2019-05-24 9:21 ` Pascal Van Leeuwen
2019-05-24 9:25 ` Ard Biesheuvel
2019-05-24 9:34 ` Pascal Van Leeuwen
2019-05-24 9:45 ` Ard Biesheuvel
2019-05-24 9:57 ` Pascal Van Leeuwen
2019-05-24 11:09 ` Ard Biesheuvel
2019-05-27 9:52 ` Pascal Van Leeuwen
2019-05-24 10:13 ` Pascal Van Leeuwen
2019-05-24 10:43 ` Kamil Konieczny
2019-05-24 10:54 ` Christophe Leroy
2019-05-27 9:44 ` Pascal Van Leeuwen
2019-05-27 9:49 ` Ard Biesheuvel
2019-05-27 10:04 ` Pascal Van Leeuwen
2019-05-27 10:28 ` Ard Biesheuvel
2019-05-27 10:43 ` Pascal Van Leeuwen
2019-05-27 10:57 ` Ard Biesheuvel
2019-05-27 12:22 ` Pascal Van Leeuwen
2019-05-27 14:59 ` Ard Biesheuvel
2019-05-27 15:56 ` Pascal Van Leeuwen
2019-05-27 16:21 ` Ard Biesheuvel
2019-05-27 20:15 ` Pascal Van Leeuwen
2019-05-27 12:41 ` Pascal Van Leeuwen
2019-05-27 14:45 ` Ard Biesheuvel
2019-05-27 15:16 ` Pascal Van Leeuwen
2019-05-27 15:24 ` Ard Biesheuvel
2019-05-27 20:46 ` Pascal Van Leeuwen
2019-05-25 1:22 ` Eric Biggers
2019-05-27 9:55 ` Pascal Van Leeuwen
2019-05-24 9:27 ` Stephan Mueller
2019-05-24 5:24 ` Ard Biesheuvel
2019-05-24 7:04 ` Kamil Konieczny
2019-05-24 7:47 ` Pascal Van Leeuwen [this message]
2019-05-24 9:15 ` Ard Biesheuvel
2019-05-24 9:28 ` Pascal Van Leeuwen
2019-05-24 6:21 ` Christophe Leroy
2019-05-24 8:04 ` Pascal Van Leeuwen
2019-05-24 6:14 ` Jeffrey Walton
2019-05-24 8:00 ` Pascal Van Leeuwen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AM6PR09MB3523A3C44CFE5C83746B6136D2020@AM6PR09MB3523.eurprd09.prod.outlook.com \
--to=pvanleeuwen@insidesecure.com \
--cc=ard.biesheuvel@linaro.org \
--cc=ebiggers@kernel.org \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.