inconsistent handling of unaligned hash inputs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bob Picco sent me a bootup trace showing that we've started to get
unaligned accesses when the generic sha256 is tested on sparc64.  I
believe this is introduced by:

commit 950e4e1c1b334c4975b91106f23fd343be3eb7a0
Author: Jussi Kivilinna <jussi.kivilinna@xxxxxx>
Date:   Sat Apr 12 15:35:29 2014 +0300

    crypto: testmgr - add empty and large test vectors for SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512

That change looks perfectly correct, it's just adding new legitimate
tests to run, but when I went to look to see how unaligned inputs are
handled I see:

1) SHA1 uses get_unaligned_be32()
2) SHA256/SHA224 uses direct u32 derefencing
3) SHA384/SHA512 likewise
4) MD5 always operates on the md5 context's mctx->block which is
   u32 aligned.

The sparc64 assembler that uses the chip's crypto instructions doesn't
have this problem because we have two code paths, one for aligned
data and one for unaligned data, in each routine.

Anyways, I suspect that we need to use get_unaligned_be{32,64}() in
generic SHA256 and SHA512.

The following seems to fix things for me:

====================
crypto: Handle unaligned input data in generic sha256 and sha512.

Like SHA1, use get_unaligned_be*() on the raw input data.

Reported-by: Bob Picco <bob.picco@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
index 5433667..0bb5583 100644
--- a/crypto/sha256_generic.c
+++ b/crypto/sha256_generic.c
@@ -24,6 +24,7 @@
 #include <linux/types.h>
 #include <crypto/sha.h>
 #include <asm/byteorder.h>
+#include <asm/unaligned.h>
 
 static inline u32 Ch(u32 x, u32 y, u32 z)
 {
@@ -42,7 +43,7 @@ static inline u32 Maj(u32 x, u32 y, u32 z)
 
 static inline void LOAD_OP(int I, u32 *W, const u8 *input)
 {
-	W[I] = __be32_to_cpu( ((__be32*)(input))[I] );
+	W[I] = get_unaligned_be32((__u32 *)input + I);
 }
 
 static inline void BLEND_OP(int I, u32 *W)
diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
index 6ed124f..6dde57d 100644
--- a/crypto/sha512_generic.c
+++ b/crypto/sha512_generic.c
@@ -20,6 +20,7 @@
 #include <crypto/sha.h>
 #include <linux/percpu.h>
 #include <asm/byteorder.h>
+#include <asm/unaligned.h>
 
 static inline u64 Ch(u64 x, u64 y, u64 z)
 {
@@ -68,7 +69,7 @@ static const u64 sha512_K[80] = {
 
 static inline void LOAD_OP(int I, u64 *W, const u8 *input)
 {
-	W[I] = __be64_to_cpu( ((__be64*)(input))[I] );
+	W[I] = get_unaligned_be64((__u64 *)input + I);
 }
 
 static inline void BLEND_OP(int I, u64 *W)
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux