Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 13 Nov 2019 11:55:30 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: Kees Cook <keescook@...omium.org>
Cc: Herbert Xu <herbert@...dor.apana.org.au>,
	João Moreira <joao.moreira@...el.com>,
	Sami Tolvanen <samitolvanen@...gle.com>,
	"David S. Miller" <davem@...emloft.net>,
	Ard Biesheuvel <ard.biesheuvel@...aro.org>,
	Stephan Mueller <smueller@...onox.de>, x86@...nel.org,
	linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
	kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v5 8/8] crypto, x86/sha: Eliminate casts on asm
 implementations

On Wed, Nov 13, 2019 at 10:25:16AM -0800, Kees Cook wrote:
> In order to avoid CFI function prototype mismatches, this removes the
> casts on assembly implementations of sha1/256/512 accelerators. The
> safety checks from BUILD_BUG_ON() remain.
> 
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
>  arch/x86/crypto/sha1_ssse3_glue.c   | 61 ++++++++++++-----------------
>  arch/x86/crypto/sha256_ssse3_glue.c | 31 +++++++--------
>  arch/x86/crypto/sha512_ssse3_glue.c | 28 ++++++-------
>  3 files changed, 50 insertions(+), 70 deletions(-)
> 
> diff --git a/arch/x86/crypto/sha1_ssse3_glue.c b/arch/x86/crypto/sha1_ssse3_glue.c
> index 639d4c2fd6a8..a151d899f37a 100644
> --- a/arch/x86/crypto/sha1_ssse3_glue.c
> +++ b/arch/x86/crypto/sha1_ssse3_glue.c
> @@ -27,11 +27,8 @@
>  #include <crypto/sha1_base.h>
>  #include <asm/simd.h>
>  
> -typedef void (sha1_transform_fn)(u32 *digest, const char *data,
> -				unsigned int rounds);
> -
>  static int sha1_update(struct shash_desc *desc, const u8 *data,
> -			     unsigned int len, sha1_transform_fn *sha1_xform)
> +			     unsigned int len, sha1_block_fn *sha1_xform)
>  {
>  	struct sha1_state *sctx = shash_desc_ctx(desc);
>  
> @@ -39,48 +36,44 @@ static int sha1_update(struct shash_desc *desc, const u8 *data,
>  	    (sctx->count % SHA1_BLOCK_SIZE) + len < SHA1_BLOCK_SIZE)
>  		return crypto_sha1_update(desc, data, len);
>  
> -	/* make sure casting to sha1_block_fn() is safe */
> +	/* make sure sha1_block_fn() use in generic routines is safe */
>  	BUILD_BUG_ON(offsetof(struct sha1_state, state) != 0);

This update to the comment makes no sense, since sha1_block_fn() is obviously
safe in the helpers, and this says nothing about the assembly functions.
Instead this should say something like:

	/*
	 * Make sure that struct sha1_state begins directly with the 160-bit
	 * SHA1 internal state, as this is what the assembly functions expect.
	 */

Likewise for SHA-256 and SHA-512, except for those it would be a 256-bit and
512-bit internal state respectively.

> -asmlinkage void sha1_transform_ssse3(u32 *digest, const char *data,
> -				     unsigned int rounds);
> +asmlinkage void sha1_transform_ssse3(struct sha1_state *digest,
> +				     u8 const *data, int rounds);

'u8 const' is unconventional.  Please use 'const u8' instead.

Also, this function prototype is also given in a comment in the corresponding
assembly file.  Can you please update that too, and also leave a comment in the
assembly file like "struct sha1_state is assumed to begin with u32 state[5]."?

Likewise for all the other SHA-1, and SHA-256, and SHA-512 assembly functions,
except it would be u32 state[8] for SHA-256 and u64 state[8] for SHA-512.

- Eric

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.