lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAMj1kXHzjMBEiKrugxFVn-xGZY2FrKKWbvpp2r9q0E_6Md1KJw@mail.gmail.com>
Date: Thu, 25 Sep 2025 10:39:18 +0200
From: Ard Biesheuvel <ardb@...nel.org>
To: David Howells <dhowells@...hat.com>
Cc: Eric Biggers <ebiggers@...nel.org>, "Jason A. Donenfeld" <Jason@...c4.com>, 
	Harald Freudenberger <freude@...ux.ibm.com>, Holger Dengler <dengler@...ux.ibm.com>, 
	Herbert Xu <herbert@...dor.apana.org.au>, Stephan Mueller <smueller@...onox.de>, 
	Simo Sorce <simo@...hat.com>, linux-crypto@...r.kernel.org, linux-s390@...r.kernel.org, 
	keyrings@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] lib/crypto: Add SHA3-224, SHA3-256, SHA3-384, SHA-512,
 SHAKE128, SHAKE256

On Tue, 23 Sept 2025 at 18:31, David Howells <dhowells@...hat.com> wrote:
>
> David Howells <dhowells@...hat.com> wrote:
>
> > Eric Biggers <ebiggers@...nel.org> wrote:
> >
> > > > I assume that pertains to the comment about inlining in some way.  This
> > > > is as is in sha3_generic.c.  I can move it into the round function if
> > > > you like, but can you tell me what the effect will be?
> > >
> > > The effect will be that the code will align more closely with how the
> > > algorithm is described in the SHA-3 spec and other publications.
> >
> > I meant on the code produced and the stack consumed.  It may align with other
> > code, but if it runs off of the end of the stack then alignment is irrelevant.
>
> See commit 4767b9ad7d762876a5865a06465e13e139a01b6b
>
> "crypto: sha3-generic - deal with oversize stack frames"
>
> For some reason (maybe Ard can comment on it), he left the Iota function out
> of the keccakf_round() function.
>

The Iota function is the only transformation that does not operate
purely on the state array, so that would have required passing an
additional u64 into keccakf_round(). But I agree it is slightly
cleaner, although arguably, it should be a separate change.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ