From: Vitaly Chikunov <vt@altlinux.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-crypto@vger.kernel.org
Subject: Re: [RFC/RFT PATCH 09/18] crypto: streebog - fix unaligned memory accesses
Date: Mon, 1 Apr 2019 00:47:19 +0300 [thread overview]
Message-ID: <20190331214717.4erxk2racxphfbha@altlinux.org> (raw)
In-Reply-To: <20190331200428.26597-10-ebiggers@kernel.org>
Eric,
On Sun, Mar 31, 2019 at 01:04:19PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Don't cast the data buffer directly to streebog_uint512, as this
> violates alignment rules.
>
> Fixes: fe18957e8e87 ("crypto: streebog - add Streebog hash function")
> Cc: Vitaly Chikunov <vt@altlinux.org>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> crypto/streebog_generic.c | 25 +++++++++++++------------
> include/crypto/streebog.h | 5 ++++-
> 2 files changed, 17 insertions(+), 13 deletions(-)
>
> diff --git a/crypto/streebog_generic.c b/crypto/streebog_generic.c
> index 5a2eafed9c29f..b82fc3d79aa15 100644
> --- a/crypto/streebog_generic.c
> +++ b/crypto/streebog_generic.c
> @@ -996,7 +996,7 @@ static void streebog_add512(const struct streebog_uint512 *x,
>
> static void streebog_g(struct streebog_uint512 *h,
> const struct streebog_uint512 *N,
> - const u8 *m)
> + const struct streebog_uint512 *m)
> {
> struct streebog_uint512 Ki, data;
> unsigned int i;
> @@ -1005,7 +1005,7 @@ static void streebog_g(struct streebog_uint512 *h,
>
> /* Starting E() */
> Ki = data;
> - streebog_xlps(&Ki, (const struct streebog_uint512 *)&m[0], &data);
> + streebog_xlps(&Ki, m, &data);
>
> for (i = 0; i < 11; i++)
> streebog_round(i, &Ki, &data);
> @@ -1015,16 +1015,19 @@ static void streebog_g(struct streebog_uint512 *h,
> /* E() done */
>
> streebog_xor(&data, h, &data);
> - streebog_xor(&data, (const struct streebog_uint512 *)&m[0], h);
> + streebog_xor(&data, m, h);
> }
>
> static void streebog_stage2(struct streebog_state *ctx, const u8 *data)
> {
> - streebog_g(&ctx->h, &ctx->N, data);
> + struct streebog_uint512 m;
> +
> + memcpy(&m, data, sizeof(m));
> +
> + streebog_g(&ctx->h, &ctx->N, &m);
>
> streebog_add512(&ctx->N, &buffer512, &ctx->N);
> - streebog_add512(&ctx->Sigma, (const struct streebog_uint512 *)data,
> - &ctx->Sigma);
> + streebog_add512(&ctx->Sigma, &m, &ctx->Sigma);
> }
As I understand, this is the actual fix.
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Thanks much!
>
> static void streebog_stage3(struct streebog_state *ctx)
> @@ -1034,13 +1037,11 @@ static void streebog_stage3(struct streebog_state *ctx)
> buf.qword[0] = cpu_to_le64(ctx->fillsize << 3);
> streebog_pad(ctx);
>
> - streebog_g(&ctx->h, &ctx->N, (const u8 *)&ctx->buffer);
> + streebog_g(&ctx->h, &ctx->N, &ctx->m);
> streebog_add512(&ctx->N, &buf, &ctx->N);
> - streebog_add512(&ctx->Sigma,
> - (const struct streebog_uint512 *)&ctx->buffer[0],
> - &ctx->Sigma);
> - streebog_g(&ctx->h, &buffer0, (const u8 *)&ctx->N);
> - streebog_g(&ctx->h, &buffer0, (const u8 *)&ctx->Sigma);
> + streebog_add512(&ctx->Sigma, &ctx->m, &ctx->Sigma);
> + streebog_g(&ctx->h, &buffer0, &ctx->N);
> + streebog_g(&ctx->h, &buffer0, &ctx->Sigma);
> memcpy(&ctx->hash, &ctx->h, sizeof(struct streebog_uint512));
> }
>
> diff --git a/include/crypto/streebog.h b/include/crypto/streebog.h
> index 856e32af86574..cae1b4a019713 100644
> --- a/include/crypto/streebog.h
> +++ b/include/crypto/streebog.h
> @@ -23,7 +23,10 @@ struct streebog_uint512 {
> };
>
> struct streebog_state {
> - u8 buffer[STREEBOG_BLOCK_SIZE];
> + union {
> + u8 buffer[STREEBOG_BLOCK_SIZE];
> + struct streebog_uint512 m;
> + };
> struct streebog_uint512 hash;
> struct streebog_uint512 h;
> struct streebog_uint512 N;
> --
> 2.21.0
next prev parent reply other threads:[~2019-03-31 21:47 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-31 20:04 [RFC/RFT PATCH 00/18] crypto: fuzz algorithms against their generic implementation Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 01/18] crypto: x86/poly1305 - fix overflow during partial reduction Eric Biggers
2019-04-01 7:52 ` Martin Willi
2019-03-31 20:04 ` [RFC/RFT PATCH 02/18] crypto: crct10dif-generic - fix use via crypto_shash_digest() Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 03/18] crypto: x86/crct10dif-pcl " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 04/18] crypto: skcipher - restore default skcipher_walk::iv on error Eric Biggers
2019-04-08 6:23 ` Herbert Xu
2019-04-08 17:27 ` Eric Biggers
2019-04-09 6:37 ` Herbert Xu
2019-03-31 20:04 ` [RFC/RFT PATCH 05/18] crypto: skcipher - don't WARN on unprocessed data after slow walk step Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 06/18] crypto: chacha20poly1305 - set cra_name correctly Eric Biggers
2019-04-01 7:57 ` Martin Willi
2019-03-31 20:04 ` [RFC/RFT PATCH 07/18] crypto: gcm - fix incompatibility between "gcm" and "gcm_base" Eric Biggers
2019-04-01 15:56 ` Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 08/18] crypto: ccm - fix incompatibility between "ccm" and "ccm_base" Eric Biggers
2019-04-02 15:48 ` Sasha Levin
2019-03-31 20:04 ` [RFC/RFT PATCH 09/18] crypto: streebog - fix unaligned memory accesses Eric Biggers
2019-03-31 21:47 ` Vitaly Chikunov [this message]
2019-04-02 16:15 ` Vitaly Chikunov
2019-04-02 16:57 ` Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 10/18] crypto: cts - don't support empty messages Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 11/18] crypto: arm64/cbcmac - handle empty messages in same way as template Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 12/18] crypto: testmgr - expand ability to test for errors Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 13/18] crypto: testmgr - identify test vectors by name rather than number Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 14/18] crypto: testmgr - add helpers for fuzzing against generic implementation Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 15/18] crypto: testmgr - fuzz hashes against their " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 16/18] crypto: testmgr - fuzz skciphers " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 17/18] crypto: testmgr - fuzz AEADs " Eric Biggers
2019-03-31 20:04 ` [RFC/RFT PATCH 18/18] crypto: run initcalls for generic implementations earlier Eric Biggers
2019-04-08 5:53 ` Herbert Xu
2019-04-08 17:44 ` Eric Biggers
2019-04-09 6:24 ` Herbert Xu
2019-04-09 18:16 ` Eric Biggers
2019-04-11 6:26 ` Herbert Xu
2019-04-08 6:44 ` [RFC/RFT PATCH 00/18] crypto: fuzz algorithms against their generic implementation Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190331214717.4erxk2racxphfbha@altlinux.org \
--to=vt@altlinux.org \
--cc=ebiggers@kernel.org \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).