Message ID | 20120114182737.GB4207@p183.telecom.by |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
Le samedi 14 janvier 2012 à 21:27 +0300, Alexey Dobriyan a écrit : > commit f9e2bca6c22d75a289a349f869701214d63b5060 > aka "crypto: sha512 - Move message schedule W[80] to static percpu area" > created global message schedule area. > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> > Cc: stable@vger.kernel.org > --- > > crypto/sha512_generic.c | 6 +----- > 1 file changed, 1 insertion(+), 5 deletions(-) > > --- a/crypto/sha512_generic.c > +++ b/crypto/sha512_generic.c > @@ -21,8 +21,6 @@ > #include <linux/percpu.h> > #include <asm/byteorder.h> > > -static DEFINE_PER_CPU(u64[80], msg_schedule); > - > static inline u64 Ch(u64 x, u64 y, u64 z) > { > return z ^ (x & (y ^ z)); > @@ -89,7 +87,7 @@ sha512_transform(u64 *state, const u8 *input) > u64 a, b, c, d, e, f, g, h, t1, t2; > > int i; > - u64 *W = get_cpu_var(msg_schedule); > + u64 W[80]; > > /* load the input */ > for (i = 0; i < 16; i++) > @@ -128,8 +126,6 @@ sha512_transform(u64 *state, const u8 *input) > > /* erase our data */ > a = b = c = d = e = f = g = h = t1 = t2 = 0; > - memset(W, 0, sizeof(__get_cpu_var(msg_schedule))); > - put_cpu_var(msg_schedule); > } > > static int Is it just me or are you ignoring what crypto maintainer and others thought of your patch ? You are re-introducing a 640 bytes stack array, how comes it can be really safe ? This is too risky, and we provided an alternate patch, not just for fun. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jan 14, 2012 at 1:46 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote: > > This is too risky, and we provided an alternate patch, not just for fun. Did you see the second patch? The one that got rid of the *stupid* 80-entry array? I don't know why so many sha implementations do that idiotic full array, when the circular one is much better. In fact, the 16-entry circular array allows machines with lots of registers to keep all the state in registers and the C implementation can often be as good as hand-tuned assembly. At least that's true for sha1, I'm not sure you can do the same with sha512. But that actually *requires* that the 16-entry array be done on the stack as an automatic array. Anything else, and the compiler won't be able to do it. Linus -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Le samedi 14 janvier 2012 à 13:52 -0800, Linus Torvalds a écrit : > On Sat, Jan 14, 2012 at 1:46 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote: > > > > This is too risky, and we provided an alternate patch, not just for fun. > > Did you see the second patch? > I saw it and felt it was not a stable material. And Herbert sent an alternate patch, then I sent a V3 patch. > The one that got rid of the *stupid* 80-entry array? > Maybe, I didnt wrote this code, and I am very glad this code can be smarter and all. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jan 14, 2012 at 09:27:37PM +0300, Alexey Dobriyan wrote: > commit f9e2bca6c22d75a289a349f869701214d63b5060 > aka "crypto: sha512 - Move message schedule W[80] to static percpu area" > created global message schedule area. > > If sha512_update will ever be entered twice, hash will be silently > calculated incorrectly. > > Probably the easiest way to notice incorrect hashes being calculated is > to run 2 ping floods over AH with hmac(sha512): > > #!/usr/sbin/setkey -f > flush; > spdflush; > add IP1 IP2 ah 25 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025; > add IP2 IP1 ah 52 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052; > spdadd IP1 IP2 any -P out ipsec ah/transport//require; > spdadd IP2 IP1 any -P in ipsec ah/transport//require; > > XfrmInStateProtoError will start ticking with -EBADMSG being returned > from ah_input(). This never happens with, say, hmac(sha1). > > With patch applied (on BOTH sides), XfrmInStateProtoError does not tick > with multiple bidirectional ping flood streams like it doesn't tick > with SHA-1. > > After this patch sha512_transform() will start using ~750 bytes of stack on x86_64. > This is OK for simple loads, for something more heavy, stack reduction will be done > separatedly. > > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> > Cc: stable@vger.kernel.org OK, I've applied patches 1-2 to crypto and patch 3 to cryptodev. Thanks,
--- a/crypto/sha512_generic.c +++ b/crypto/sha512_generic.c @@ -21,8 +21,6 @@ #include <linux/percpu.h> #include <asm/byteorder.h> -static DEFINE_PER_CPU(u64[80], msg_schedule); - static inline u64 Ch(u64 x, u64 y, u64 z) { return z ^ (x & (y ^ z)); @@ -89,7 +87,7 @@ sha512_transform(u64 *state, const u8 *input) u64 a, b, c, d, e, f, g, h, t1, t2; int i; - u64 *W = get_cpu_var(msg_schedule); + u64 W[80]; /* load the input */ for (i = 0; i < 16; i++) @@ -128,8 +126,6 @@ sha512_transform(u64 *state, const u8 *input) /* erase our data */ a = b = c = d = e = f = g = h = t1 = t2 = 0; - memset(W, 0, sizeof(__get_cpu_var(msg_schedule))); - put_cpu_var(msg_schedule); } static int
commit f9e2bca6c22d75a289a349f869701214d63b5060 aka "crypto: sha512 - Move message schedule W[80] to static percpu area" created global message schedule area. If sha512_update will ever be entered twice, hash will be silently calculated incorrectly. Probably the easiest way to notice incorrect hashes being calculated is to run 2 ping floods over AH with hmac(sha512): #!/usr/sbin/setkey -f flush; spdflush; add IP1 IP2 ah 25 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025; add IP2 IP1 ah 52 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052; spdadd IP1 IP2 any -P out ipsec ah/transport//require; spdadd IP2 IP1 any -P in ipsec ah/transport//require; XfrmInStateProtoError will start ticking with -EBADMSG being returned from ah_input(). This never happens with, say, hmac(sha1). With patch applied (on BOTH sides), XfrmInStateProtoError does not tick with multiple bidirectional ping flood streams like it doesn't tick with SHA-1. After this patch sha512_transform() will start using ~750 bytes of stack on x86_64. This is OK for simple loads, for something more heavy, stack reduction will be done separatedly. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Cc: stable@vger.kernel.org --- crypto/sha512_generic.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html