On Tue, Jul 07, 2020 at 08:37:16AM +1000, Herbert Xu wrote:
> On Mon, Jul 06, 2020 at 12:07:17PM -0700, Eric Biggers wrote:
> >
> > This changes chacha_state to be a pointer, which breaks clearing the state
> > because that uses sizeof(chacha_state):
> >
> > memzero_explicit(chacha_state, sizeof(chacha_state));
> >
> > It would need to be changed to use CHACHA_BLOCK_SIZE.
>
> Good catch. Thanks! Here's an update:
>
> ---8<---
> As it stands the chacha state array is made 12 bytes bigger on
> x86 in order for it to be 16-byte aligned. However, the array
> is not actually aligned until it hits the x86 code.
>
> This patch moves the alignment to where the state array is defined.
> To do so a macro DEFINE_CHACHA_STATE has been added which takes
> care of all the work to ensure that it is actually aligned on the
> stack.
>
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Hmm, __chacha20poly1305_encrypt() already uses:
memzero_explicit(chacha_state, CHACHA_STATE_WORDS * sizeof(u32));
That's equivalent to CHACHA_BLOCK_SIZE now, but it would be best to use the same
constant everywhere. Can you pick one or the other to use?
Also, in chacha20poly1305-selftest.c there's a state array that needs to be
converted to use the new macro:
u32 chacha20_state[CHACHA_STATE_WORDS];
- Eric
