From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org
Subject: Re: [PATCH v5 01/10] stdlib: Add arc4random, arc4random_buf, and arc4random_uniform (BZ #4417)
Date: Tue, 17 May 2022 16:16:25 -0300 [thread overview]
Message-ID: <83c88503-8c4d-1ca4-ea6d-d9df94b68c6d@linaro.org> (raw)
In-Reply-To: <7c7e64a1-6650-5e51-f7f8-e1785d20d951@opteya.com>
On 17/05/2022 06:10, Yann Droneaud wrote:
>> +
>> +static inline void
>> +chacha20_block (uint32_t *state, uint32_t *stream)
>> +{
>> + uint32_t x[CHACHA20_STATE_LEN];
>> + memcpy (x, state, sizeof x);
>> +
>> + for (int i = 0; i < 20; i += 2)
>> + {
>> + QROUND (x[0], x[4], x[8], x[12]);
>> + QROUND (x[1], x[5], x[9], x[13]);
>> + QROUND (x[2], x[6], x[10], x[14]);
>> + QROUND (x[3], x[7], x[11], x[15]);
>> +
>> + QROUND (x[0], x[5], x[10], x[15]);
>> + QROUND (x[1], x[6], x[11], x[12]);
>> + QROUND (x[2], x[7], x[8], x[13]);
>> + QROUND (x[3], x[4], x[9], x[14]);
>> + }
>> +
>> + /* Unroll the loop a bit. */
>> + for (int i = 0; i < CHACHA20_BLOCK_WORDS / 4; i++)
>> + {
>> + stream[i*4+0] = set_state (x[i*4+0] + state[i*4+0]);
>> + stream[i*4+1] = set_state (x[i*4+1] + state[i*4+1]);
>> + stream[i*4+2] = set_state (x[i*4+2] + state[i*4+2]);
>> + stream[i*4+3] = set_state (x[i*4+3] + state[i*4+3]);
>> + }
>> +
>> + state[12]++;
>
>
> I tempted to ask to clear x[] from the stack as this information could be used to recover the state from the stream.
>
> (In OpenBSD implementation, x's are variables instead, thus they can be pushed on the stack, then there's no way to clear them).
I think I can use variables instead of an array, it seems to show better performance
and it would avoid calling explicit_bzero.
>
>
>> +}
>> +
>> +static void
>> +chacha20_crypt (uint32_t *state, uint8_t *dst, const uint8_t *src,
>> + size_t bytes)
>> +{
>> + uint32_t stream[CHACHA20_BLOCK_WORDS];
>> +
>> + while (bytes >= CHACHA20_BLOCK_SIZE)
>> + {
>> + chacha20_block (state, stream);
>> +#ifdef CHACHA20_XOR_FINAL
>> + for (int i = 0; i < CHACHA20_BLOCK_WORDS; i++)
>> + stream[i] ^= read_unaligned_32 (&src[i * sizeof (uint32_t)]);
>> +#endif
>> + memcpy (dst, stream, CHACHA20_BLOCK_SIZE);
>> + bytes -= CHACHA20_BLOCK_SIZE;
>> + dst += CHACHA20_BLOCK_SIZE;
>> + src += CHACHA20_BLOCK_SIZE;
>> + }
>> + if (bytes != 0)
>> + {
>> + chacha20_block (state, stream);
>> +#ifdef CHACHA20_XOR_FINAL
>> + for (int i = 0; i < CHACHA20_BLOCK_WORDS; i++)
>> + stream[i] ^= read_unaligned_32 (&src[i * sizeof (uint32_t)]);
>> +#endif
>> + memcpy (dst, stream, bytes);
>> + }
>> +}
>
>
> Same here, I would clear stream[] as it would leak up to 64 bytes of the random stream on the stack.
>
> (In OpenBSD implementation, the stream is written into the destination buffer, using a temporary buffer only for the last block if not a multiple of ChaCha20 block size long, but this temporary buffer is not cleared either).
I think we can make chacha20_block write direct on stream and make
the final block issue explicit_bzero (it wont' be used since
arc4random internal buffer is multiple of CHACHA20_BLOCK_SIZE).
next prev parent reply other threads:[~2022-05-17 19:16 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-04 13:59 [PATCH v5 00/10] Add arc4random support Adhemerval Zanella
2022-05-04 13:59 ` [PATCH v5 01/10] stdlib: Add arc4random, arc4random_buf, and arc4random_uniform (BZ #4417) Adhemerval Zanella
2022-05-04 14:15 ` Andreas Schwab
2022-05-04 14:46 ` Adhemerval Zanella
2022-05-04 14:55 ` Florian Weimer
2022-05-04 15:13 ` Adhemerval Zanella
2022-05-17 9:10 ` Yann Droneaud
2022-05-17 19:16 ` Adhemerval Zanella [this message]
2022-05-04 13:59 ` [PATCH v5 02/10] stdlib: Add arc4random tests Adhemerval Zanella
2022-05-04 13:59 ` [PATCH v5 03/10] benchtests: Add arc4random benchtest Adhemerval Zanella
2022-05-04 13:59 ` [PATCH v5 04/10] aarch64: Add optimized chacha20 Adhemerval Zanella
2022-05-04 13:59 ` [PATCH v5 05/10] x86: Add SSE2 " Adhemerval Zanella
2022-05-04 13:59 ` [PATCH v5 06/10] x86: Add AVX2 " Adhemerval Zanella
2022-05-04 13:59 ` [PATCH v5 07/10] powerpc64: Add " Adhemerval Zanella
2022-05-04 13:59 ` [PATCH v5 08/10] s390x: " Adhemerval Zanella
2022-05-04 13:59 ` [PATCH v5 09/10] stdlib: Add TLS optimization to arc4random Adhemerval Zanella
2022-05-04 13:59 ` [PATCH v5 10/10] manual: Add documentation for arc4random functions Adhemerval Zanella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83c88503-8c4d-1ca4-ea6d-d9df94b68c6d@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).