From: Ard Biesheuvel > Sent: 14 June 2019 12:15 > (fix Eric's email address) > > On Fri, 14 Jun 2019 at 13:14, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote: > > > > Using a bare block cipher in non-crypto code is almost always a bad idea, > > not only for security reasons (and we've seen some examples of this in > > the kernel in the past), but also for performance reasons. > > > > In the TCP fastopen case, we call into the bare AES block cipher one or > > two times (depending on whether the connection is IPv4 or IPv6). On most > > systems, this results in a call chain such as > > > > crypto_cipher_encrypt_one(ctx, dst, src) > > crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...); > > aesni_encrypt > > kernel_fpu_begin(); > > aesni_enc(ctx, dst, src); // asm routine > > kernel_fpu_end(); > > > > It is highly unlikely that the use of special AES instructions has a > > benefit in this case, especially since we are doing the above twice > > for IPv6 connections, instead of using a transform which can process > > the entire input in one go. > > > > We could switch to the cbcmac(aes) shash, which would at least get > > rid of the duplicated overhead in *some* cases (i.e., today, only > > arm64 has an accelerated implementation of cbcmac(aes), while x86 will > > end up using the generic cbcmac template wrapping the AES-NI cipher, > > which basically ends up doing exactly the above). However, in the given > > context, it makes more sense to use a light-weight MAC algorithm that > > is more suitable for the purpose at hand, such as SipHash. > > > > Since the output size of SipHash already matches our chosen value for > > TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input > > sizes, this greatly simplifies the code as well. ... > > + BUILD_BUG_ON(sizeof(siphash_key_t) != TCP_FASTOPEN_KEY_LENGTH); > > + BUILD_BUG_ON(sizeof(u64) != TCP_FASTOPEN_COOKIE_SIZE); Those comparisons are backwards. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)