| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jan 2021 12:52:17 +0100
From: Ard Biesheuvel <ardb@...nel.org>
To: Eric Biggers <ebiggers@...nel.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
Andy Lutomirski <luto@...nel.org>,
Jann Horn <jannh@...gle.com>, "Theodore Ts'o" <tytso@....edu>,
Herbert Xu <herbert@...dor.apana.org.au>
Subject: Re: [PATCH RESEND] random: initialize ChaCha20 constants with correct endianness
On Tue, 12 Jan 2021 at 20:30, Eric Biggers <ebiggers@...nel.org> wrote:
>
> From: Eric Biggers <ebiggers@...gle.com>
>
> On big endian CPUs, the ChaCha20-based CRNG is using the wrong
> endianness for the ChaCha20 constants.
>
> This doesn't matter cryptographically, but technically it means it's not
> ChaCha20 anymore. Fix it to always use the standard constants.
>
> Cc: linux-crypto@...r.kernel.org
> Cc: Andy Lutomirski <luto@...nel.org>
> Cc: Jann Horn <jannh@...gle.com>
> Cc: Theodore Ts'o <tytso@....edu>
> Acked-by: Herbert Xu <herbert@...dor.apana.org.au>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
Acked-by: Ard Biesheuvel <ardb@...nel.org>
> ---
>
> Andrew, please consider taking this patch since the maintainer has been
> ignoring it for 4 months
> (https://lkml.kernel.org/lkml/20200916045013.142179-1-ebiggers@kernel.org/T/#u).
>
>
> drivers/char/random.c | 4 ++--
> include/crypto/chacha.h | 9 +++++++--
> 2 files changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index bbc5098b1a81f..4037a1e0fb748 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -809,7 +809,7 @@ static bool __init crng_init_try_arch_early(struct crng_state *crng)
>
> static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
> {
> - memcpy(&crng->state[0], "expand 32-byte k", 16);
> + chacha_init_consts(crng->state);
> _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
> crng_init_try_arch(crng);
> crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
> @@ -817,7 +817,7 @@ static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
>
> static void __init crng_initialize_primary(struct crng_state *crng)
> {
> - memcpy(&crng->state[0], "expand 32-byte k", 16);
> + chacha_init_consts(crng->state);
> _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
> if (crng_init_try_arch_early(crng) && trust_cpu) {
> invalidate_batched_entropy();
> diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h
> index 3a1c72fdb7cf5..dabaee6987186 100644
> --- a/include/crypto/chacha.h
> +++ b/include/crypto/chacha.h
> @@ -47,13 +47,18 @@ static inline void hchacha_block(const u32 *state, u32 *out, int nrounds)
> hchacha_block_generic(state, out, nrounds);
> }
>
> -void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
> -static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
> +static inline void chacha_init_consts(u32 *state)
> {
> state[0] = 0x61707865; /* "expa" */
> state[1] = 0x3320646e; /* "nd 3" */
> state[2] = 0x79622d32; /* "2-by" */
> state[3] = 0x6b206574; /* "te k" */
> +}
> +
> +void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
> +static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
> +{
> + chacha_init_consts(state);
> state[4] = key[0];
> state[5] = key[1];
> state[6] = key[2];
> --
> 2.30.0
>
Powered by blists - more mailing lists