lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jan 2022 15:59:21 +0000 From: David Laight <David.Laight@...LAB.COM> To: "'Jason A. Donenfeld'" <Jason@...c4.com>, Ard Biesheuvel <ardb@...nel.org> CC: Alexei Starovoitov <alexei.starovoitov@...il.com>, Toke Høiland-Jørgensen <toke@...hat.com>, "Network Development" <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, Geert Uytterhoeven <geert@...ux-m68k.org>, Herbert Xu <herbert@...dor.apana.org.au>, Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>, Linux Crypto Mailing List <linux-crypto@...r.kernel.org>, bpf <bpf@...r.kernel.org> Subject: RE: [PATCH RFC v1 1/3] bpf: move from sha1 to blake2s in tag calculation From: Jason A. Donenfeld > Sent: 14 January 2022 15:21 > > On Fri, Jan 14, 2022 at 4:08 PM Ard Biesheuvel <ardb@...nel.org> wrote: > > Yeah, so the issue is that, at *some* point, SHA-1 is going to have to > > go. So it would be helpful if Alexei could clarify *why* he doesn't > > see this as a problem. The fact that it is broken means that it is no > > longer intractable to forge collisions, which likley means that SHA-1 > > no longer fulfills the task that you wanted it to do in the first > > place. > > I think the reason that Alexei doesn't think that the SHA-1 choice > really matters is because the result is being truncated to 64-bits, so > collisions are easy anyway... Which probably means that SHA-1 is complete overkill and something much simpler could have been used instead. Is the buffer even big enough to have ever warranted the massive unrolling of the sha-1 function. (I suspect that just destroys the I-cache on most cpu.) The IPv6 address case seems even more insane - how many bytes are actually being hashed. The unrolled loop is only likely to be sane for large (megabyte) buffers. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Powered by blists - more mailing lists