tech-crypto archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Patch: cprng_fast performance - please review.
Miscellaneous notes -- I'm doing the benchmarking we discussed and
pondering whether it is right to switch from hc-128 to salsa20, separately.
On Thu, Apr 17, 2014 at 09:33:28PM +0000, Taylor R Campbell wrote:
>
> > +void
> > +hc128_init(hc128_state_t *state, const uint8_t *key, const uint8_t *iv)
> > +{
> > + unsigned int i;
> > + uint32_t w[1280], *p = state->p, *q = state->q;
>
> 5 KB on the stack is a lot! Granted, this is a leaf routine which in
> our case will be called only in a softint handler, but still.
Fixed.
> For the purposes of a PRNG, conversion to little-endian is not
> necessary. Would be nice for hc128_extract to just return uint32_t,
> too.
I'll benchmark this on a hardware, BE system (somehow; I don't have one
that's easy to get running again). Whatever cipher we use for this I
would prefer to leave its core transform alone, for several reasons.
> Forward declaration of cprng_fast_randrekey should go among the other
> forward declarations, not mixed up among the global state.
Fixed.
> Can we put the creation of kern_cprng and the initialization of
> cprng_fast into cprng_init? If not, there should be a comment
> explaining why not.
No -- it needs the kernel_cprng ready. I added a comment.
> Why generate the IV randomly? Why not a counter? Does the IV have
> any requirements other than that it never be reused with the same key,
> i.e. is it anything other than a nonce?
Why not generate it randomly? We hardly ever do it and extraction from
the kernel_cprng is cheap compared to the other keying operations.
> Are there actually any callers of cprng_fast at IPL_HIGH? Are there
> actually any legitimate random decisions to be made at IPL_HIGH? I'm
> sceptical.
What do you get if you cross an elephant and a rhinocerous? Given that
what we do within the spl* takes very little time I am inclined to say
what spl we go to hardly matters, and be very conservative. The real
question here, I think, is whether we should spl*() at all, or forbid
use of cprng_fast() from interrupt context entirely.
> > +size_t
> > +_cprng_fast_exact(void *p, size_t len)
> > +{
>
> This should KASSERT(len <= CPRNG_MAX_LEN) or something so nobody is
> tempted to generate obscene amounts of data at once (at IPL_HIGH or
> IPL_VM or whatever it turns out to be).
Fixed.
> > + ctx->numbytes += len;
>
> Check for arithmetic overflow and saturate.
Can't get even close -- the max bytes on key is constrained to 2^29
on entry to the function.
I fixed _cprng_fast_inexact per your comments.
Thor
Home |
Main Index |
Thread Index |
Old Index