From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: "open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
David Miller <davem@davemloft.net>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Samuel Neves <sneves@dei.uc.pt>, Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@kernel.org>,
Martin Willi <martin@strongswan.org>,
Rene van Dorst <opensource@vdorst.com>,
David Sterba <dsterba@suse.com>
Subject: Re: [PATCH v4 22/35] crypto: BLAKE2s - generic C library implementation and selftest
Date: Fri, 8 Nov 2019 12:28:40 +0100 [thread overview]
Message-ID: <CAKv+Gu-FjMsqiCpJurSG3FOGynpmdcJJPt15FGOsZK5kQjX-mg@mail.gmail.com> (raw)
In-Reply-To: <CAKv+Gu_9rY6OBEZ9iZQ53CWRQbd+k64JL4Tuazn3BO3ohF2g6w@mail.gmail.com>
On Wed, 6 Nov 2019 at 17:41, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>
> On Wed, 23 Oct 2019 at 06:51, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Thu, Oct 17, 2019 at 09:09:19PM +0200, Ard Biesheuvel wrote:
> > > diff --git a/lib/crypto/blake2s-selftest.c b/lib/crypto/blake2s-selftest.c
> > > new file mode 100644
> > > index 000000000000..7ba00fcc6b60
> > > --- /dev/null
> > > +++ b/lib/crypto/blake2s-selftest.c
> > > @@ -0,0 +1,2093 @@
> > > +// SPDX-License-Identifier: GPL-2.0 OR MIT
> > > +/*
> > > + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
> > > + */
> > > +
> > > +#include <crypto/blake2s.h>
> > > +#include <linux/string.h>
> > > +
> > > +static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
> > [...]
> > > +bool __init blake2s_selftest(void)
> > > +{
> > > + u8 key[BLAKE2S_KEY_SIZE];
> > > + u8 buf[ARRAY_SIZE(blake2s_testvecs)];
> > > + u8 hash[BLAKE2S_HASH_SIZE];
> > > + size_t i;
> > > + bool success = true;
> > > +
> > > + for (i = 0; i < BLAKE2S_KEY_SIZE; ++i)
> > > + key[i] = (u8)i;
> > > +
> > > + for (i = 0; i < ARRAY_SIZE(blake2s_testvecs); ++i)
> > > + buf[i] = (u8)i;
> > > +
> > > + for (i = 0; i < ARRAY_SIZE(blake2s_keyed_testvecs); ++i) {
> > > + blake2s(hash, buf, key, BLAKE2S_HASH_SIZE, i, BLAKE2S_KEY_SIZE);
> > > + if (memcmp(hash, blake2s_keyed_testvecs[i], BLAKE2S_HASH_SIZE)) {
> > > + pr_err("blake2s keyed self-test %zu: FAIL\n", i + 1);
> > > + success = false;
> > > + }
> > > + }
> > > +
> > > + for (i = 0; i < ARRAY_SIZE(blake2s_testvecs); ++i) {
> > > + blake2s(hash, buf, NULL, BLAKE2S_HASH_SIZE, i, 0);
> > > + if (memcmp(hash, blake2s_testvecs[i], BLAKE2S_HASH_SIZE)) {
> > > + pr_err("blake2s unkeyed self-test %zu: FAIL\n", i + i);
> > > + success = false;
> > > + }
> > > + }
> > > + return success;
> > > +}
> >
> > The only tests here are for blake2s(), with 0 and 32-byte keys. There's no
> > tests that incremental blake2s_update()s work correctly, nor any other key
> > sizes. And these don't get tested properly by the blake2s-generic shash tests
> > either, because blake2s-generic has a separate implementation of the boilerplate
> > and calls blake2s_compress_generic() directly. Did you consider implementing
> > blake2s-generic on top of blake2s_init/update/final instead?
> >
>
> That would make blake2s-generic use the accelerated implementations as
> well, which I tried to avoid.
>
> I will add some test cases here instead.
>
> > Also, blake2s_hmac() needs tests.
> >
>
> Ack
I cooked up another set of test cases for keyed and plain blake2s
which use arbitrary combinations of supported key and digest lengths.
The delta patch is at the top of this branch:
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=wireguard-crypto-library-api-v5
The blake2s_hmac() code is actually broken: it ignores the 'outlen'
parameter except for the memcpy() at the end, which means it runs both
blake2s with the full length digest twice and then simply truncates it
at the end.
Given that blake2s hmac seems to be a WireGuard invention, which only
uses the full digest length, would anyone mind if I change this to
blake2s256_hmac() and drop the outlen parameter? Then, we at least
have parity with openssl HMAC() and EVP_blake2s256().
next prev parent reply other threads:[~2019-11-08 11:28 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-17 19:08 [PATCH v4 00/35] crypto: crypto API library interfaces for WireGuard Ard Biesheuvel
2019-10-17 19:08 ` [PATCH v4 01/35] crypto: tidy up lib/crypto Kconfig and Makefile Ard Biesheuvel
2019-10-17 19:08 ` [PATCH v4 02/35] crypto: chacha - move existing library code into lib/crypto Ard Biesheuvel
2019-10-23 3:05 ` Eric Biggers
2019-11-04 9:06 ` Ard Biesheuvel
2019-10-23 3:12 ` Eric Biggers
2019-10-17 19:09 ` [PATCH v4 03/35] crypto: x86/chacha - depend on generic chacha library instead of crypto driver Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 04/35] crypto: x86/chacha - expose SIMD ChaCha routine as library function Ard Biesheuvel
2019-10-23 3:10 ` Eric Biggers
2019-10-23 4:40 ` Eric Biggers
2019-10-17 19:09 ` [PATCH v4 05/35] crypto: arm64/chacha - depend on generic chacha library instead of crypto driver Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 06/35] crypto: arm64/chacha - expose arm64 ChaCha routine as library function Ard Biesheuvel
2019-10-23 3:16 ` Eric Biggers
2019-10-17 19:09 ` [PATCH v4 07/35] crypto: arm/chacha - import Eric Biggers's scalar accelerated ChaCha code Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 08/35] crypto: arm/chacha - remove dependency on generic ChaCha driver Ard Biesheuvel
2019-10-23 3:21 ` Eric Biggers
2019-10-17 19:09 ` [PATCH v4 09/35] crypto: arm/chacha - expose ARM ChaCha routine as library function Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 10/35] crypto: mips/chacha - import 32r2 ChaCha code from Zinc Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 11/35] crypto: mips/chacha - wire up accelerated 32r2 " Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 12/35] crypto: chacha - unexport chacha_generic routines Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 13/35] crypto: poly1305 - move core routines into a separate library Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 14/35] crypto: x86/poly1305 - unify Poly1305 state struct with generic code Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 15/35] crypto: poly1305 - expose init/update/final library interface Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 16/35] crypto: x86/poly1305 - depend on generic library not generic shash Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 17/35] crypto: x86/poly1305 - expose existing driver as poly1305 library Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 18/35] crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 19/35] crypto: arm/poly1305 " Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 20/35] crypto: mips/poly1305 - incorporate OpenSSL/CRYPTOGAMS optimized implementation Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 21/35] int128: move __uint128_t compiler test to Kconfig Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 22/35] crypto: BLAKE2s - generic C library implementation and selftest Ard Biesheuvel
2019-10-23 4:51 ` Eric Biggers
2019-11-06 16:41 ` Ard Biesheuvel
2019-11-08 11:28 ` Ard Biesheuvel [this message]
2019-10-17 19:09 ` [PATCH v4 23/35] crypto: testmgr - add test cases for Blake2s Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 24/35] crypto: blake2s - implement generic shash driver Ard Biesheuvel
2019-10-23 3:25 ` Eric Biggers
2019-10-17 19:09 ` [PATCH v4 25/35] crypto: BLAKE2s - x86_64 SIMD implementation Ard Biesheuvel
2019-10-23 4:55 ` Eric Biggers
2019-10-23 14:08 ` Jason A. Donenfeld
2019-10-23 15:04 ` Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 26/35] crypto: Curve25519 - generic C library implementations Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 27/35] crypto: testmgr - implement testing for KPP failures Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 28/35] crypto: curve25519 - add kpp selftest Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 29/35] crypto: curve25519 - implement generic KPP driver Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 30/35] crypto: lib/curve25519 - work around Clang stack spilling issue Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 31/35] crypto: Curve25519 - x86_64 library and KPP implementations Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 32/35] crypto: arm - import Bernstein and Schwabe's Curve25519 ARM implementation Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 33/35] crypto: arm/Curve25519 - wire up NEON implementation Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 34/35] crypto: chacha20poly1305 - import construction and selftest from Zinc Ard Biesheuvel
2019-10-17 19:09 ` [PATCH v4 35/35] crypto: lib/chacha20poly1305 - reimplement crypt_from_sg() routine Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKv+Gu-FjMsqiCpJurSG3FOGynpmdcJJPt15FGOsZK5kQjX-mg@mail.gmail.com \
--to=ard.biesheuvel@linaro.org \
--cc=Jason@zx2c4.com \
--cc=arnd@arndb.de \
--cc=davem@davemloft.net \
--cc=dsterba@suse.com \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=luto@kernel.org \
--cc=martin@strongswan.org \
--cc=opensource@vdorst.com \
--cc=sneves@dei.uc.pt \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).