RE: [PATCH crypto v2] crypto: blake2s - remove shash module

From: David Laight <David.Laight@ACULAB.COM>
To: "'Jason A. Donenfeld'" <Jason@zx2c4.com>,
	"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>
Cc: gaochao <gaochao49@huawei.com>,
	Eric Biggers <ebiggers@kernel.org>,
	"Ard Biesheuvel" <ardb@kernel.org>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: RE: [PATCH crypto v2] crypto: blake2s - remove shash module
Date: Fri, 27 May 2022 12:36:07 +0000	[thread overview]
Message-ID: <ffa404b7427043fda4b9f4a20ea0f068@AcuMS.aculab.com> (raw)
In-Reply-To: <20220527081106.63227-1-Jason@zx2c4.com>

From: Jason A. Donenfeld
> Sent: 27 May 2022 09:11
> 
> BLAKE2s has no use as an shash, with no users of it. Just remove all of
> this unnecessary plumbing. Removing this shash was something we talked
> about back when we were making BLAKE2s a built-in, but I simply never
> got around to doing it. So this completes that project.
...
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index c71c09621c09..716da32cf4dc 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -16,16 +16,43 @@
>  #include <linux/init.h>
>  #include <linux/bug.h>
> 
> +static inline void blake2s_set_lastblock(struct blake2s_state *state)
> +{
> +	state->f[0] = -1;
> +}
> +
>  void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
>  {
> -	__blake2s_update(state, in, inlen, false);
> +	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
> +
> +	if (unlikely(!inlen))
> +		return;

Does this happen often enough to optimise for?
The zero length memcpy() should be fine.
(though pedants might worry about in == NULL)

> +	if (inlen > fill) {

Testing inlen >= fill will be better.
You also don't need the code below in the (probably) likely
case that state->buflen == 0.

> +		memcpy(state->buf + state->buflen, in, fill);
> +		blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
> +		state->buflen = 0;
> +		in += fill;
> +		inlen -= fill;

an 'if (!inlen) return' check here may be a cheap optimisation.

> +	}
> +	if (inlen > BLAKE2S_BLOCK_SIZE) {

This test only needs to be inside the earlier inlen > fill condition.
The compiler may not be able to assume so.

> +		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);

Why not inlen/BLAKE2S_BLOCK_SIZE and remove all the '- 1'.
Looping inside blakes2s_compress() has to be better than
doing an extra call when processing the next data block.

> +		blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
> +		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
> +	}
> +	memcpy(state->buf + state->buflen, in, inlen);
> +	state->buflen += inlen;
>  }
>  EXPORT_SYMBOL(blake2s_update);
> 
>  void blake2s_final(struct blake2s_state *state, u8 *out)
>  {
>  	WARN_ON(IS_ENABLED(DEBUG) && !out);
> -	__blake2s_final(state, out, false);
> +	blake2s_set_lastblock(state);
> +	memset(state->buf + state->buflen, 0, BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
> +	blake2s_compress(state, state->buf, 1, state->buflen);
> +	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
> +	memcpy(out, state->h, state->outlen);
>  	memzero_explicit(state, sizeof(*state));
>  }
>  EXPORT_SYMBOL(blake2s_final);
> @@ -38,12 +65,7 @@ static int __init blake2s_mod_init(void)
>  	return 0;
>  }

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)