| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251026055032.1413733-5-ebiggers@kernel.org>
Date: Sat, 25 Oct 2025 22:50:21 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: linux-crypto@...r.kernel.org
Cc: David Howells <dhowells@...hat.com>,
Ard Biesheuvel <ardb@...nel.org>,
"Jason A . Donenfeld" <Jason@...c4.com>,
Eric Biggers <ebiggers@...nel.org>,
Holger Dengler <dengler@...ux.ibm.com>,
Harald Freudenberger <freude@...ux.ibm.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
linux-arm-kernel@...ts.infradead.org,
linux-s390@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH v2 04/15] lib/crypto: sha3: Move SHA3 Iota step mapping into round function
From: David Howells <dhowells@...hat.com>
In crypto/sha3_generic.c, the keccakf() function calls keccakf_round()
to do four of Keccak-f's five step mappings. However, it does not do
the Iota step mapping - presumably because that is dependent on round
number, whereas Theta, Rho, Pi and Chi are not.
Note that the keccakf_round() function needs to be explicitly
non-inlined on certain architectures as gcc's produced output will (or
used to) use over 1KiB of stack space if inlined.
Now, this code was copied more or less verbatim into lib/crypto/sha3.c,
so that has the same aesthetic issue. Fix this there by passing the
round number into sha3_keccakf_one_round_generic() and doing the Iota
step mapping there.
crypto/sha3_generic.c is left untouched as that will be converted to use
lib/crypto/sha3.c at some point.
Suggested-by: Eric Biggers <ebiggers@...nel.org>
Signed-off-by: David Howells <dhowells@...hat.com>
Signed-off-by: Eric Biggers <ebiggers@...nel.org>
---
lib/crypto/sha3.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/lib/crypto/sha3.c b/lib/crypto/sha3.c
index 049be8414de26..ee7a2ca92b2c5 100644
--- a/lib/crypto/sha3.c
+++ b/lib/crypto/sha3.c
@@ -46,11 +46,11 @@ static const u64 sha3_keccakf_rndc[SHA3_KECCAK_ROUNDS] = {
};
/*
* Perform a single round of Keccak mixing.
*/
-static SHA3_INLINE void sha3_keccakf_one_round_generic(u64 st[25])
+static SHA3_INLINE void sha3_keccakf_one_round_generic(u64 st[25], int round)
{
u64 t[5], tt, bc[5];
/* Theta */
bc[0] = st[0] ^ st[5] ^ st[10] ^ st[15] ^ st[20];
@@ -147,10 +147,13 @@ static SHA3_INLINE void sha3_keccakf_one_round_generic(u64 st[25])
st[20] ^= bc[ 0];
st[21] ^= bc[ 1];
st[22] ^= bc[ 2];
st[23] ^= bc[ 3];
st[24] ^= bc[ 4];
+
+ /* Iota */
+ st[0] ^= sha3_keccakf_rndc[round];
}
/* Generic implementation of the Keccak-f[1600] permutation */
static void sha3_keccakf_generic(struct sha3_state *state)
{
@@ -161,15 +164,12 @@ static void sha3_keccakf_generic(struct sha3_state *state)
*/
for (int i = 0; i < ARRAY_SIZE(state->words); i++)
state->native_words[i] = le64_to_cpu(state->words[i]);
- for (int round = 0; round < SHA3_KECCAK_ROUNDS; round++) {
- sha3_keccakf_one_round_generic(state->native_words);
- /* Iota */
- state->native_words[0] ^= sha3_keccakf_rndc[round];
- }
+ for (int round = 0; round < SHA3_KECCAK_ROUNDS; round++)
+ sha3_keccakf_one_round_generic(state->native_words, round);
for (int i = 0; i < ARRAY_SIZE(state->words); i++)
state->words[i] = cpu_to_le64(state->native_words[i]);
}
--
2.51.1.dirty
Powered by blists - more mailing lists