lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aFkdNoQFmr8-x4cu@gondor.apana.org.au>
Date: Mon, 23 Jun 2025 17:24:06 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: AlanSong-oc <AlanSong-oc@...oxin.com>
Cc: davem@...emloft.net, linux-crypto@...r.kernel.org,
	linux-kernel@...r.kernel.org, CobeChen@...oxin.com,
	TonyWWang-oc@...oxin.com, YunShen@...oxin.com,
	GeorgeXue@...oxin.com, LeoLiu-oc@...oxin.com, HansHu@...oxin.com
Subject: Re: [PATCH] crypto: padlock-sha - Add support for Zhaoxin processor

On Mon, Jun 16, 2025 at 08:23:36PM +0800, AlanSong-oc wrote:
>
> The 128-byte buffer requirement is already included in 'descsize',
> as defined by PADLOCK_SHA_DESCSIZE. In the previous version of
> the padlock-sha driver, the 'struct sha1_state' variable and the buffer
> resided in separate memory regions. It allowed the driver to safely
> write initial hash constants into the buffer and retrieve hash results
> from buffer through memcpy() operations. Crucially, when the XSHA1
> instruction zeroed out the tail bytes of the buffer, it cannot affect
> the contents of 'struct sha1_state'. However, in the current driver
> implementation, the 'struct sha1_state' shares memory space with the
> buffer. Consequently, when the XSHA1 instruction executes, it
> inadvertently clears other members of 'struct sha1_state'. Specifically,
> when padlock_sha1_finup() is called, the 'count' member of
> 'struct sha1_state' no longer reflects the actual data length processed.
> Explain it using a graph as shown below:

Thanks for the explanation.  There is no requirement to use struct
sha1_state.  Just supply a custom version of the struct for the
shash descriptor that includes the necessary space.

IOW do the copy in the rarely used export/import functions, instead
of on every hash operation.

Cheers,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ