On Wed, Jun 01, 2022 at 12:18:10AM -0700, Nathan Huckleberry wrote:
> diff --git a/src/fscrypt-crypt-util.c b/src/fscrypt-crypt-util.c
[...]
> +void gf2_128_mul_polyval(ble128 *r, const ble128 *b)
> +{
This function should be static.
> +/*----------------------------------------------------------------------------*
> + * POLYVAL *
> + *----------------------------------------------------------------------------*/
This could use a link to a specification, similar to the other more "unusual"
algorithms in this file. Try:
git grep -A1 'Reference:' src/fscrypt-crypt-util.c
Likewise for HCTR2. The commit message has a link to the HCTR2 paper, but it
should be in the code itself too.
> +static void polyval_update(const u8 key[POLYVAL_KEY_SIZE],
> + const u8 *msg, size_t msglen,
> + u8 accumulator[POLYVAL_BLOCK_SIZE])
> +{
> + ble128 h;
> + ble128 aligned_accumulator;
> + size_t chunk_size;
> + // x^{-128} = x^127 + x^124 + x^121 + x^114 + 1
> + static const ble128 inv128 = {
> + cpu_to_le64(1),
> + cpu_to_le64(0x9204ULL << 48)
> + };
> +
> + memcpy(&h, key, POLYVAL_BLOCK_SIZE);
> + memcpy(&aligned_accumulator, accumulator, POLYVAL_BLOCK_SIZE);
> + gf2_128_mul_polyval(&h, &inv128);
> +
> + while (msglen > 0) {
> + chunk_size = MIN(POLYVAL_BLOCK_SIZE, msglen);
> + xor((u8 *)&aligned_accumulator, (u8 *)&aligned_accumulator, msg,
> + chunk_size);
> + gf2_128_mul_polyval(&aligned_accumulator, &h);
> + msg += chunk_size;
> + msglen -= chunk_size;
> + }
The partial block support is unnecessary, so POLYVAL_BLOCK_SIZE could be used
instead of chunk_size, and an assertion ASSERT(msglen % POLYVAL_BLOCK_SIZE ==
0) could be added. See poly1305() in the same file which works similarly.
Otherwise this looks good, thanks!
- Eric
|