Andy Polyakov wrote:
>>> What happens when you issue the instruction without rep prefix?
>>
>> That's invalid instruction I believe.
>
> Dare to actually try?
Just tried => Invalid instruction ;-)
>>>> Instead its necessary to accumulate all data from
>>>> update()s in some buffer and hash them only in final().
>>>
>>> Note that there is EVP_MD_FLAG_ONESHOT, which can/should be used to
>>> avoid fallback to software at least for such cases.
>>
>> I have found this flag but didn't realise how to use it.
>
> If flag is set, just hash directly in update procedure and do nothing
> [but byte swaping?] in final. Instead of doing nothing but copying in
> update procedure and do hashing in final.
What if you need to do several updates before finally hashing it? E.g.
like in HMAC? You need to store the data somewhere before actually
hashing them with padlock...
>> And IIRC it's only used in one engine. Afterall I decided it's useless
>> and wrote the software fallback path for SHA.
>
> Note that I didn't suggest to scrap software fallback [yet?], just to
> *complement* with a way to hash larger data chunk if it's readily
> available in one stroke.
How do you know that there won't be more data to come to update()? Maybe
I'm missing something w.r.t. this ONESHOT option...?
You may want to generalise the software fallback path somewhere into
openssl core, but the question is if it's worth the overhead now, when
only one engine needs it.
> BTW, as for copying. As more than likely
> sensitive data gets copied into intermediate buffer, it's more than
> appropriate to zero it prior free. I only see memset on padlock
> intermediate state. A.
Yeah, right. Attached is and incremental diff addressing this issue.
Michal Ludvig
--
* Personal homepage: http://www.logix.cz/michal
Index: openssl-0.9.8/crypto/engine/eng_padlock.c
===================================================================
--- openssl-0.9.8.orig/crypto/engine/eng_padlock.c
+++ openssl-0.9.8/crypto/engine/eng_padlock.c
@@ -1153,6 +1153,7 @@ padlock_sha_bypass(struct padlock_digest
if (ddata->buf_start && ddata->used > 0) {
SHA1_Update(&ddata->fallback_ctx, ddata->buf_start,
ddata->used);
if (ddata->buf_alloc) {
+ memset(ddata->buf_start, 0, ddata->used);
free(ddata->buf_alloc);
ddata->buf_alloc = 0;
}
@@ -1266,6 +1267,7 @@ padlock_sha_final(EVP_MD_CTX *ctx, unsig
/* Pass the input buffer to PadLock microcode... */
padlock_do_sha1(ddata->buf_start, md, ddata->used);
+ memset(ddata->buf_start, 0, ddata->used);
free(ddata->buf_alloc);
ddata->buf_start = 0;
ddata->buf_alloc = 0;
@@ -1298,8 +1300,10 @@ padlock_sha_cleanup(EVP_MD_CTX *ctx)
{
struct padlock_digest_data *ddata = DIGEST_DATA(ctx);
- if (ddata->buf_alloc)
+ if (ddata->buf_alloc) {
+ memset(ddata->buf_start, 0, ddata->used);
free(ddata->buf_alloc);
+ }
memset(ddata, 0, sizeof(struct padlock_digest_data));
