lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMj1kXEkz1QvkXWc8dCGhU_MPf+1M3P2+rAiLciuixnKCmRESg@mail.gmail.com>
Date: Fri, 19 May 2023 11:31:30 +0200
From: Ard Biesheuvel <ardb@...nel.org>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: Dmitry Safonov <dima@...sta.com>, 
	Linux Crypto Mailing List <linux-crypto@...r.kernel.org>, linux-kernel@...r.kernel.org, 
	David Ahern <dsahern@...nel.org>, Eric Dumazet <edumazet@...gle.com>, 
	Paolo Abeni <pabeni@...hat.com>, Jakub Kicinski <kuba@...nel.org>, 
	"David S. Miller" <davem@...emloft.net>, Andy Lutomirski <luto@...capital.net>, 
	Bob Gilligan <gilligan@...sta.com>, Dan Carpenter <error27@...il.com>, 
	David Laight <David.Laight@...lab.com>, Dmitry Safonov <0x7f454c46@...il.com>, 
	Eric Biggers <ebiggers@...nel.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, 
	Francesco Ruggeri <fruggeri05@...il.com>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, 
	Ivan Delalande <colona@...sta.com>, Leonard Crestez <cdleonard@...il.com>, 
	Salam Noureddine <noureddine@...sta.com>, netdev@...r.kernel.org
Subject: Re: [PATCH] crypto: shash - Allow cloning on algorithms with no init_tfm

On Fri, 19 May 2023 at 11:04, Herbert Xu <herbert@...dor.apana.org.au> wrote:
>
> On Fri, May 19, 2023 at 10:54:11AM +0200, Ard Biesheuvel wrote:
> >
> > Does this imply that the cmac-aes-ce and cmac-aes-neon implementations
> > for arm64 need a similar treatment?
>
> Good catch.  Since these don't have init functions we can deal
> with them at a higher level:
>
> ---8<---
> Some shash algorithms are so simple that they don't have an init_tfm
> function.  These can be cloned trivially.  Check this before failing
> in crypto_clone_shash.
>

OK. So IIUC, cloning a keyless hash just shares the TFM and bumps the
refcount, but here we must actually allocate a new TFM referring to
the same algo, and this new TFM needs its key to be set before use, as
it doesn't inherit it from the clonee, right? And this works in the
same way as cloning an instance of the generic HMAC template, as this
will just clone the inner shash too, and will also leave the key
unset.

If so,

Acked-by: Ard Biesheuvel <ardb@...nel.org>

If not, could you explain it to me again? :-)


> Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au>
>
> diff --git a/crypto/shash.c b/crypto/shash.c
> index 717b42df3495..1fadb6b59bdc 100644
> --- a/crypto/shash.c
> +++ b/crypto/shash.c
> @@ -597,7 +597,7 @@ struct crypto_shash *crypto_clone_shash(struct crypto_shash *hash)
>                 return hash;
>         }
>
> -       if (!alg->clone_tfm)
> +       if (!alg->clone_tfm && (alg->init_tfm || alg->base.cra_init))
>                 return ERR_PTR(-ENOSYS);
>
>         nhash = crypto_clone_tfm(&crypto_shash_type, tfm);
> @@ -606,10 +606,12 @@ struct crypto_shash *crypto_clone_shash(struct crypto_shash *hash)
>
>         nhash->descsize = hash->descsize;
>
> -       err = alg->clone_tfm(nhash, hash);
> -       if (err) {
> -               crypto_free_shash(nhash);
> -               return ERR_PTR(err);
> +       if (alg->clone_tfm) {
> +               err = alg->clone_tfm(nhash, hash);
> +               if (err) {
> +                       crypto_free_shash(nhash);
> +                       return ERR_PTR(err);
> +               }
>         }
>
>         return nhash;
> --
> Email: Herbert Xu <herbert@...dor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists