Re: [PATCH 1/3] sha512: make it work, undo percpu message schedule
On Sat, Jan 14, 2012 at 09:27:37PM +0300, Alexey Dobriyan wrote: > commit f9e2bca6c22d75a289a349f869701214d63b5060 > aka "crypto: sha512 - Move message schedule W[80] to static percpu area" > created global message schedule area. > > If sha512_update will ever be entered twice, hash will be silently > calculated incorrectly. > > Probably the easiest way to notice incorrect hashes being calculated is > to run 2 ping floods over AH with hmac(sha512): > > #!/usr/sbin/setkey -f > flush; > spdflush; > add IP1 IP2 ah 25 -A hmac-sha512 > 0x0025; > add IP2 IP1 ah 52 -A hmac-sha512 > 0x0052; > spdadd IP1 IP2 any -P out ipsec ah/transport//require; > spdadd IP2 IP1 any -P in ipsec ah/transport//require; > > XfrmInStateProtoError will start ticking with -EBADMSG being returned > from ah_input(). This never happens with, say, hmac(sha1). > > With patch applied (on BOTH sides), XfrmInStateProtoError does not tick > with multiple bidirectional ping flood streams like it doesn't tick > with SHA-1. > > After this patch sha512_transform() will start using ~750 bytes of stack on > x86_64. > This is OK for simple loads, for something more heavy, stack reduction will > be done > separatedly. > > Signed-off-by: Alexey Dobriyan > Cc: sta...@vger.kernel.org OK, I've applied patches 1-2 to crypto and patch 3 to cryptodev. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/3] sha512: make it work, undo percpu message schedule
Le samedi 14 janvier 2012 à 13:52 -0800, Linus Torvalds a écrit : > On Sat, Jan 14, 2012 at 1:46 PM, Eric Dumazet wrote: > > > > This is too risky, and we provided an alternate patch, not just for fun. > > Did you see the second patch? > I saw it and felt it was not a stable material. And Herbert sent an alternate patch, then I sent a V3 patch. > The one that got rid of the *stupid* 80-entry array? > Maybe, I didnt wrote this code, and I am very glad this code can be smarter and all. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/3] sha512: make it work, undo percpu message schedule
On Sat, Jan 14, 2012 at 1:46 PM, Eric Dumazet wrote: > > This is too risky, and we provided an alternate patch, not just for fun. Did you see the second patch? The one that got rid of the *stupid* 80-entry array? I don't know why so many sha implementations do that idiotic full array, when the circular one is much better. In fact, the 16-entry circular array allows machines with lots of registers to keep all the state in registers and the C implementation can often be as good as hand-tuned assembly. At least that's true for sha1, I'm not sure you can do the same with sha512. But that actually *requires* that the 16-entry array be done on the stack as an automatic array. Anything else, and the compiler won't be able to do it. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/3] sha512: make it work, undo percpu message schedule
Le samedi 14 janvier 2012 à 21:27 +0300, Alexey Dobriyan a écrit : > commit f9e2bca6c22d75a289a349f869701214d63b5060 > aka "crypto: sha512 - Move message schedule W[80] to static percpu area" > created global message schedule area. > Signed-off-by: Alexey Dobriyan > Cc: sta...@vger.kernel.org > --- > > crypto/sha512_generic.c |6 +- > 1 file changed, 1 insertion(+), 5 deletions(-) > > --- a/crypto/sha512_generic.c > +++ b/crypto/sha512_generic.c > @@ -21,8 +21,6 @@ > #include > #include > > -static DEFINE_PER_CPU(u64[80], msg_schedule); > - > static inline u64 Ch(u64 x, u64 y, u64 z) > { > return z ^ (x & (y ^ z)); > @@ -89,7 +87,7 @@ sha512_transform(u64 *state, const u8 *input) > u64 a, b, c, d, e, f, g, h, t1, t2; > > int i; > - u64 *W = get_cpu_var(msg_schedule); > + u64 W[80]; > > /* load the input */ > for (i = 0; i < 16; i++) > @@ -128,8 +126,6 @@ sha512_transform(u64 *state, const u8 *input) > > /* erase our data */ > a = b = c = d = e = f = g = h = t1 = t2 = 0; > - memset(W, 0, sizeof(__get_cpu_var(msg_schedule))); > - put_cpu_var(msg_schedule); > } > > static int Is it just me or are you ignoring what crypto maintainer and others thought of your patch ? You are re-introducing a 640 bytes stack array, how comes it can be really safe ? This is too risky, and we provided an alternate patch, not just for fun. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html