linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH RESEND] random: initialize ChaCha20 constants with correct endianness
@ 2021-03-22  5:13 Eric Biggers
  2021-04-02  9:03 ` Herbert Xu
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Biggers @ 2021-03-22  5:13 UTC (permalink / raw)
  To: Theodore Ts'o
  Cc: linux-kernel, linux-crypto, Andy Lutomirski, Jann Horn,
	Herbert Xu, Ard Biesheuvel

From: Eric Biggers <ebiggers@google.com>

On big endian CPUs, the ChaCha20-based CRNG is using the wrong
endianness for the ChaCha20 constants.

This doesn't matter cryptographically, but technically it means it's not
ChaCha20 anymore.  Fix it to always use the standard constants.

Cc: linux-crypto@vger.kernel.org
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 drivers/char/random.c   | 4 ++--
 include/crypto/chacha.h | 9 +++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index 0fe9e200e4c84..5d6acfecd919b 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -819,7 +819,7 @@ static bool __init crng_init_try_arch_early(struct crng_state *crng)
 
 static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
 {
-	memcpy(&crng->state[0], "expand 32-byte k", 16);
+	chacha_init_consts(crng->state);
 	_get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
 	crng_init_try_arch(crng);
 	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
@@ -827,7 +827,7 @@ static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
 
 static void __init crng_initialize_primary(struct crng_state *crng)
 {
-	memcpy(&crng->state[0], "expand 32-byte k", 16);
+	chacha_init_consts(crng->state);
 	_extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
 	if (crng_init_try_arch_early(crng) && trust_cpu) {
 		invalidate_batched_entropy();
diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h
index 3a1c72fdb7cf5..dabaee6987186 100644
--- a/include/crypto/chacha.h
+++ b/include/crypto/chacha.h
@@ -47,13 +47,18 @@ static inline void hchacha_block(const u32 *state, u32 *out, int nrounds)
 		hchacha_block_generic(state, out, nrounds);
 }
 
-void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
-static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
+static inline void chacha_init_consts(u32 *state)
 {
 	state[0]  = 0x61707865; /* "expa" */
 	state[1]  = 0x3320646e; /* "nd 3" */
 	state[2]  = 0x79622d32; /* "2-by" */
 	state[3]  = 0x6b206574; /* "te k" */
+}
+
+void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
+static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
+{
+	chacha_init_consts(state);
 	state[4]  = key[0];
 	state[5]  = key[1];
 	state[6]  = key[2];
-- 
2.31.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] random: initialize ChaCha20 constants with correct endianness
  2021-03-22  5:13 [PATCH RESEND] random: initialize ChaCha20 constants with correct endianness Eric Biggers
@ 2021-04-02  9:03 ` Herbert Xu
  0 siblings, 0 replies; 5+ messages in thread
From: Herbert Xu @ 2021-04-02  9:03 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Theodore Ts'o, linux-kernel, linux-crypto, Andy Lutomirski,
	Jann Horn, Ard Biesheuvel

On Sun, Mar 21, 2021 at 10:13:47PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> On big endian CPUs, the ChaCha20-based CRNG is using the wrong
> endianness for the ChaCha20 constants.
> 
> This doesn't matter cryptographically, but technically it means it's not
> ChaCha20 anymore.  Fix it to always use the standard constants.
> 
> Cc: linux-crypto@vger.kernel.org
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Jann Horn <jannh@google.com>
> Cc: Theodore Ts'o <tytso@mit.edu>
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
> Acked-by: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  drivers/char/random.c   | 4 ++--
>  include/crypto/chacha.h | 9 +++++++--
>  2 files changed, 9 insertions(+), 4 deletions(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] random: initialize ChaCha20 constants with correct endianness
  2021-01-12 19:29 Eric Biggers
  2021-01-13 11:52 ` Ard Biesheuvel
@ 2021-02-01 22:43 ` Eric Biggers
  1 sibling, 0 replies; 5+ messages in thread
From: Eric Biggers @ 2021-02-01 22:43 UTC (permalink / raw)
  To: Andrew Morton
  Cc: linux-kernel, linux-crypto, Andy Lutomirski, Jann Horn,
	Theodore Ts'o, Herbert Xu

On Tue, Jan 12, 2021 at 11:29:27AM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> On big endian CPUs, the ChaCha20-based CRNG is using the wrong
> endianness for the ChaCha20 constants.
> 
> This doesn't matter cryptographically, but technically it means it's not
> ChaCha20 anymore.  Fix it to always use the standard constants.
> 
> Cc: linux-crypto@vger.kernel.org
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Jann Horn <jannh@google.com>
> Cc: Theodore Ts'o <tytso@mit.edu>
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> 
> Andrew, please consider taking this patch since the maintainer has been
> ignoring it for 4 months
> (https://lkml.kernel.org/lkml/20200916045013.142179-1-ebiggers@kernel.org/T/#u).

Ping.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] random: initialize ChaCha20 constants with correct endianness
  2021-01-12 19:29 Eric Biggers
@ 2021-01-13 11:52 ` Ard Biesheuvel
  2021-02-01 22:43 ` Eric Biggers
  1 sibling, 0 replies; 5+ messages in thread
From: Ard Biesheuvel @ 2021-01-13 11:52 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Andrew Morton, Linux Kernel Mailing List,
	Linux Crypto Mailing List, Andy Lutomirski, Jann Horn,
	Theodore Ts'o, Herbert Xu

On Tue, 12 Jan 2021 at 20:30, Eric Biggers <ebiggers@kernel.org> wrote:
>
> From: Eric Biggers <ebiggers@google.com>
>
> On big endian CPUs, the ChaCha20-based CRNG is using the wrong
> endianness for the ChaCha20 constants.
>
> This doesn't matter cryptographically, but technically it means it's not
> ChaCha20 anymore.  Fix it to always use the standard constants.
>
> Cc: linux-crypto@vger.kernel.org
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Jann Horn <jannh@google.com>
> Cc: Theodore Ts'o <tytso@mit.edu>
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Acked-by: Ard Biesheuvel <ardb@kernel.org>

> ---
>
> Andrew, please consider taking this patch since the maintainer has been
> ignoring it for 4 months
> (https://lkml.kernel.org/lkml/20200916045013.142179-1-ebiggers@kernel.org/T/#u).
>
>
>  drivers/char/random.c   | 4 ++--
>  include/crypto/chacha.h | 9 +++++++--
>  2 files changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index bbc5098b1a81f..4037a1e0fb748 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -809,7 +809,7 @@ static bool __init crng_init_try_arch_early(struct crng_state *crng)
>
>  static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
>  {
> -       memcpy(&crng->state[0], "expand 32-byte k", 16);
> +       chacha_init_consts(crng->state);
>         _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
>         crng_init_try_arch(crng);
>         crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
> @@ -817,7 +817,7 @@ static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
>
>  static void __init crng_initialize_primary(struct crng_state *crng)
>  {
> -       memcpy(&crng->state[0], "expand 32-byte k", 16);
> +       chacha_init_consts(crng->state);
>         _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
>         if (crng_init_try_arch_early(crng) && trust_cpu) {
>                 invalidate_batched_entropy();
> diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h
> index 3a1c72fdb7cf5..dabaee6987186 100644
> --- a/include/crypto/chacha.h
> +++ b/include/crypto/chacha.h
> @@ -47,13 +47,18 @@ static inline void hchacha_block(const u32 *state, u32 *out, int nrounds)
>                 hchacha_block_generic(state, out, nrounds);
>  }
>
> -void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
> -static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
> +static inline void chacha_init_consts(u32 *state)
>  {
>         state[0]  = 0x61707865; /* "expa" */
>         state[1]  = 0x3320646e; /* "nd 3" */
>         state[2]  = 0x79622d32; /* "2-by" */
>         state[3]  = 0x6b206574; /* "te k" */
> +}
> +
> +void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
> +static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
> +{
> +       chacha_init_consts(state);
>         state[4]  = key[0];
>         state[5]  = key[1];
>         state[6]  = key[2];
> --
> 2.30.0
>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH RESEND] random: initialize ChaCha20 constants with correct endianness
@ 2021-01-12 19:29 Eric Biggers
  2021-01-13 11:52 ` Ard Biesheuvel
  2021-02-01 22:43 ` Eric Biggers
  0 siblings, 2 replies; 5+ messages in thread
From: Eric Biggers @ 2021-01-12 19:29 UTC (permalink / raw)
  To: Andrew Morton
  Cc: linux-kernel, linux-crypto, Andy Lutomirski, Jann Horn,
	Theodore Ts'o, Herbert Xu

From: Eric Biggers <ebiggers@google.com>

On big endian CPUs, the ChaCha20-based CRNG is using the wrong
endianness for the ChaCha20 constants.

This doesn't matter cryptographically, but technically it means it's not
ChaCha20 anymore.  Fix it to always use the standard constants.

Cc: linux-crypto@vger.kernel.org
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---

Andrew, please consider taking this patch since the maintainer has been
ignoring it for 4 months
(https://lkml.kernel.org/lkml/20200916045013.142179-1-ebiggers@kernel.org/T/#u).


 drivers/char/random.c   | 4 ++--
 include/crypto/chacha.h | 9 +++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index bbc5098b1a81f..4037a1e0fb748 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -809,7 +809,7 @@ static bool __init crng_init_try_arch_early(struct crng_state *crng)
 
 static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
 {
-	memcpy(&crng->state[0], "expand 32-byte k", 16);
+	chacha_init_consts(crng->state);
 	_get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
 	crng_init_try_arch(crng);
 	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
@@ -817,7 +817,7 @@ static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
 
 static void __init crng_initialize_primary(struct crng_state *crng)
 {
-	memcpy(&crng->state[0], "expand 32-byte k", 16);
+	chacha_init_consts(crng->state);
 	_extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
 	if (crng_init_try_arch_early(crng) && trust_cpu) {
 		invalidate_batched_entropy();
diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h
index 3a1c72fdb7cf5..dabaee6987186 100644
--- a/include/crypto/chacha.h
+++ b/include/crypto/chacha.h
@@ -47,13 +47,18 @@ static inline void hchacha_block(const u32 *state, u32 *out, int nrounds)
 		hchacha_block_generic(state, out, nrounds);
 }
 
-void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
-static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
+static inline void chacha_init_consts(u32 *state)
 {
 	state[0]  = 0x61707865; /* "expa" */
 	state[1]  = 0x3320646e; /* "nd 3" */
 	state[2]  = 0x79622d32; /* "2-by" */
 	state[3]  = 0x6b206574; /* "te k" */
+}
+
+void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
+static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
+{
+	chacha_init_consts(state);
 	state[4]  = key[0];
 	state[5]  = key[1];
 	state[6]  = key[2];
-- 
2.30.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-02  9:04 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-22  5:13 [PATCH RESEND] random: initialize ChaCha20 constants with correct endianness Eric Biggers
2021-04-02  9:03 ` Herbert Xu
  -- strict thread matches above, loose matches on Subject: below --
2021-01-12 19:29 Eric Biggers
2021-01-13 11:52 ` Ard Biesheuvel
2021-02-01 22:43 ` Eric Biggers

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).