From: Vitaly Chikunov <vt@altlinux.org>
To: Eric Biggers <ebiggers@kernel.org>, linux-crypto@vger.kernel.org
Subject: Re: [RFC/RFT PATCH 09/18] crypto: streebog - fix unaligned memory accesses
Date: Tue, 2 Apr 2019 19:15:57 +0300 [thread overview]
Message-ID: <20190402161557.lg37muib4qy4az22@altlinux.org> (raw)
In-Reply-To: <20190331214717.4erxk2racxphfbha@altlinux.org>
Eric,
On Mon, Apr 01, 2019 at 12:47:19AM +0300, Vitaly Chikunov wrote:
> On Sun, Mar 31, 2019 at 01:04:19PM -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Don't cast the data buffer directly to streebog_uint512, as this
> > violates alignment rules.
> >
> > Fixes: fe18957e8e87 ("crypto: streebog - add Streebog hash function")
> > Cc: Vitaly Chikunov <vt@altlinux.org>
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > ---
> > crypto/streebog_generic.c | 25 +++++++++++++------------
> > include/crypto/streebog.h | 5 ++++-
> > 2 files changed, 17 insertions(+), 13 deletions(-)
> >
> > diff --git a/crypto/streebog_generic.c b/crypto/streebog_generic.c
> > index 5a2eafed9c29f..b82fc3d79aa15 100644
> > --- a/crypto/streebog_generic.c
> > +++ b/crypto/streebog_generic.c
> > @@ -996,7 +996,7 @@ static void streebog_add512(const struct streebog_uint512 *x,
> >
> > static void streebog_g(struct streebog_uint512 *h,
> > const struct streebog_uint512 *N,
> > - const u8 *m)
> > + const struct streebog_uint512 *m)
> > {
> > struct streebog_uint512 Ki, data;
> > unsigned int i;
> > @@ -1005,7 +1005,7 @@ static void streebog_g(struct streebog_uint512 *h,
> >
> > /* Starting E() */
> > Ki = data;
> > - streebog_xlps(&Ki, (const struct streebog_uint512 *)&m[0], &data);
> > + streebog_xlps(&Ki, m, &data);
> >
> > for (i = 0; i < 11; i++)
> > streebog_round(i, &Ki, &data);
> > @@ -1015,16 +1015,19 @@ static void streebog_g(struct streebog_uint512 *h,
> > /* E() done */
> >
> > streebog_xor(&data, h, &data);
> > - streebog_xor(&data, (const struct streebog_uint512 *)&m[0], h);
> > + streebog_xor(&data, m, h);
> > }
> >
> > static void streebog_stage2(struct streebog_state *ctx, const u8 *data)
> > {
> > - streebog_g(&ctx->h, &ctx->N, data);
> > + struct streebog_uint512 m;
> > +
> > + memcpy(&m, data, sizeof(m));
> > +
> > + streebog_g(&ctx->h, &ctx->N, &m);
> >
> > streebog_add512(&ctx->N, &buffer512, &ctx->N);
> > - streebog_add512(&ctx->Sigma, (const struct streebog_uint512 *)data,
> > - &ctx->Sigma);
> > + streebog_add512(&ctx->Sigma, &m, &ctx->Sigma);
> > }
>
> As I understand, this is the actual fix.
Probably, even better would be to use CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
to optimize out memcpy() for such architectures.
Thanks,
> Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
>
> Thanks much!
>
> >
> > static void streebog_stage3(struct streebog_state *ctx)
> > @@ -1034,13 +1037,11 @@ static void streebog_stage3(struct streebog_state *ctx)
> > buf.qword[0] = cpu_to_le64(ctx->fillsize << 3);
> > streebog_pad(ctx);
> >
> > - streebog_g(&ctx->h, &ctx->N, (const u8 *)&ctx->buffer);
> > + streebog_g(&ctx->h, &ctx->N, &ctx->m);
> > streebog_add512(&ctx->N, &buf, &ctx->N);
> > - streebog_add512(&ctx->Sigma,
> > - (const struct streebog_uint512 *)&ctx->buffer[0],
> > - &ctx->Sigma);
> > - streebog_g(&ctx->h, &buffer0, (const u8 *)&ctx->N);
> > - streebog_g(&ctx->h, &buffer0, (const u8 *)&ctx->Sigma);
> > + streebog_add512(&ctx->Sigma, &ctx->m, &ctx->Sigma);
> > + streebog_g(&ctx->h, &buffer0, &ctx->N);
> > + streebog_g(&ctx->h, &buffer0, &ctx->Sigma);
> > memcpy(&ctx->hash, &ctx->h, sizeof(struct streebog_uint512));
> > }
> >
> > diff --git a/include/crypto/streebog.h b/include/crypto/streebog.h
> > index 856e32af86574..cae1b4a019713 100644
> > --- a/include/crypto/streebog.h
> > +++ b/include/crypto/streebog.h
> > @@ -23,7 +23,10 @@ struct streebog_uint512 {
> > };
> >
> > struct streebog_state {
> > - u8 buffer[STREEBOG_BLOCK_SIZE];
> > + union {
> > + u8 buffer[STREEBOG_BLOCK_SIZE];
> > + struct streebog_uint512 m;
> > + };
> > struct streebog_uint512 hash;
> > struct streebog_uint512 h;
> > struct streebog_uint512 N;
> > --
> > 2.21.0
next prev parent reply other threads:[~2019-04-02 16:16 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-31 20:04 [RFC/RFT PATCH 00/18] crypto: fuzz algorithms against their generic implementation Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 01/18] crypto: x86/poly1305 - fix overflow during partial reduction Eric Biggers
2019-04-01 7:52 ` Martin Willi
2019-03-31 20:04 ` [RFC/RFT PATCH 02/18] crypto: crct10dif-generic - fix use via crypto_shash_digest() Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 03/18] crypto: x86/crct10dif-pcl " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 04/18] crypto: skcipher - restore default skcipher_walk::iv on error Eric Biggers
2019-04-08 6:23 ` Herbert Xu
2019-04-08 17:27 ` Eric Biggers
2019-04-09 6:37 ` Herbert Xu
2019-03-31 20:04 ` [RFC/RFT PATCH 05/18] crypto: skcipher - don't WARN on unprocessed data after slow walk step Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 06/18] crypto: chacha20poly1305 - set cra_name correctly Eric Biggers
2019-04-01 7:57 ` Martin Willi
2019-03-31 20:04 ` [RFC/RFT PATCH 07/18] crypto: gcm - fix incompatibility between "gcm" and "gcm_base" Eric Biggers
2019-04-01 15:56 ` Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 08/18] crypto: ccm - fix incompatibility between "ccm" and "ccm_base" Eric Biggers
2019-04-02 15:48 ` Sasha Levin
2019-03-31 20:04 ` [RFC/RFT PATCH 09/18] crypto: streebog - fix unaligned memory accesses Eric Biggers
2019-03-31 21:47 ` Vitaly Chikunov
2019-04-02 16:15 ` Vitaly Chikunov [this message]
2019-04-02 16:57 ` Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 10/18] crypto: cts - don't support empty messages Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 11/18] crypto: arm64/cbcmac - handle empty messages in same way as template Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 12/18] crypto: testmgr - expand ability to test for errors Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 13/18] crypto: testmgr - identify test vectors by name rather than number Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 14/18] crypto: testmgr - add helpers for fuzzing against generic implementation Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 15/18] crypto: testmgr - fuzz hashes against their " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 16/18] crypto: testmgr - fuzz skciphers " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 17/18] crypto: testmgr - fuzz AEADs " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 18/18] crypto: run initcalls for generic implementations earlier Eric Biggers
2019-04-08 5:53 ` Herbert Xu
2019-04-08 17:44 ` Eric Biggers
2019-04-09 6:24 ` Herbert Xu
2019-04-09 18:16 ` Eric Biggers
2019-04-11 6:26 ` Herbert Xu
2019-04-08 6:44 ` [RFC/RFT PATCH 00/18] crypto: fuzz algorithms against their generic implementation Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190402161557.lg37muib4qy4az22@altlinux.org \
--to=vt@altlinux.org \
--cc=ebiggers@kernel.org \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.