Hi,
Le jeudi 09 août 2018 à 12:40 -0700, Eric Biggers a écrit :
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
> Subject: [PATCH] crypto: chacha20 - Fix keystream alignment for chacha20_block() (again)
>
> In commit 9f480faec58cd6 ("crypto: chacha20 - Fix keystream alignment
> for chacha20_block()") I had missed that chacha20_block() can end up
> being called on the buffer passed to get_random_bytes(), which can have
> any alignment. So, while my commit didn't break anything since
> chacha20_block() has actually always had a u32-alignment requirement for
> the output, it didn't fully solve the alignment problems.
>
> Revert my solution and just update chacha20_block() to use
> put_unaligned_le32(), so the output buffer doesn't have to be aligned.
>
> This is simpler, and on many CPUs it's the same speed.
>
> Reported-by: Stephan Müller <smueller@xxxxxxxxxx>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
> crypto/chacha20_generic.c | 7 ++++---
> drivers/char/random.c | 24 ++++++++++++------------
> include/crypto/chacha20.h | 3 +--
> lib/chacha20.c | 6 +++---
> 4 files changed, 20 insertions(+), 20 deletions(-)
>
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index bd449ad52442..b8f4345a50f4 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -433,9 +433,9 @@ static int crng_init_cnt = 0;
> static unsigned long crng_global_init_time = 0;
> #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
> static void _extract_crng(struct crng_state *crng,
> - __u32 out[CHACHA20_BLOCK_WORDS]);
> + __u8 out[CHACHA20_BLOCK_SIZE]);
> static void _crng_backtrack_protect(struct crng_state *crng,
> - __u32 tmp[CHACHA20_BLOCK_WORDS], int used);
> + __u8 tmp[CHACHA20_BLOCK_SIZE], int used);
> static void process_random_ready_list(void);
> static void _get_random_bytes(void *buf, int nbytes);
>
[...]
> @@ -994,7 +994,7 @@ static void extract_crng(__u32 out[CHACHA20_BLOCK_WORDS])
> * enough) to mutate the CRNG key to provide backtracking protection.
> */
> static void _crng_backtrack_protect(struct crng_state *crng,
> - __u32 tmp[CHACHA20_BLOCK_WORDS], int used)
> + __u8 tmp[CHACHA20_BLOCK_SIZE], int used)
> {
> unsigned long flags;
> __u32 *s, *d;
> @@ -1006,14 +1006,14 @@ static void _crng_backtrack_protect(struct crng_state *crng,
> used = 0;
> }
> spin_lock_irqsave(&crng->lock, flags);
> - s = &tmp[used / sizeof(__u32)];
> + s = (__u32 *) &tmp[used];
tmp is __8* while s is __u32*, that sounds like an alignment issue ...
> d = &crng->state[4];
> for (i=0; i < 8; i++)
> *d++ ^= *s++;
... when s is dereferenced
> spin_unlock_irqrestore(&crng->lock, flags);
> }
>
Regards.
--
Yann Droneaud
OPTEYA
