| Message ID | 20190528124152.191773-1-lenaptr@google.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | arm64 sha1-ce finup: correct digest for empty data | expand |
On Tue, 28 May 2019 at 14:42, Elena Petrova <lenaptr@google.com> wrote: > > The sha1-ce finup implementation for ARM64 produces wrong digest > for empty input (len=0). Expected: da39a3ee..., result: 67452301... > (initial value of SHA internal state). The error is in sha1_ce_finup: > for empty data `finalize` will be 1, so the code is relying on > sha1_ce_transform to make the final round. However, in > sha1_base_do_update, the block function will not be called when > len == 0. > > Fix it by setting finalize to 0 if data is empty. > > Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer") > Cc: stable@vger.kernel.org > Signed-off-by: Elena Petrova <lenaptr@google.com> Thanks for the fix Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> It looks like the sha224/256 suffers from the same issue. Would you mind sending out a fix for that as well? Thanks. > --- > arch/arm64/crypto/sha1-ce-glue.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c > index eaa7a8258f1c..0652f5f07ed1 100644 > --- a/arch/arm64/crypto/sha1-ce-glue.c > +++ b/arch/arm64/crypto/sha1-ce-glue.c > @@ -55,7 +55,7 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data, > unsigned int len, u8 *out) > { > struct sha1_ce_state *sctx = shash_desc_ctx(desc); > - bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE); > + bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len; > > if (!crypto_simd_usable()) > return crypto_sha1_finup(desc, data, len, out); > -- > 2.22.0.rc1.257.g3120a18244-goog >
Yep, sha2 also has the bug, I'll be sending the fix soon, thanks! On Tue, 28 May 2019 at 14:03, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: > > On Tue, 28 May 2019 at 14:42, Elena Petrova <lenaptr@google.com> wrote: > > > > The sha1-ce finup implementation for ARM64 produces wrong digest > > for empty input (len=0). Expected: da39a3ee..., result: 67452301... > > (initial value of SHA internal state). The error is in sha1_ce_finup: > > for empty data `finalize` will be 1, so the code is relying on > > sha1_ce_transform to make the final round. However, in > > sha1_base_do_update, the block function will not be called when > > len == 0. > > > > Fix it by setting finalize to 0 if data is empty. > > > > Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer") > > Cc: stable@vger.kernel.org > > Signed-off-by: Elena Petrova <lenaptr@google.com> > > Thanks for the fix > > Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > > It looks like the sha224/256 suffers from the same issue. Would you > mind sending out a fix for that as well? Thanks. > > > --- > > arch/arm64/crypto/sha1-ce-glue.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c > > index eaa7a8258f1c..0652f5f07ed1 100644 > > --- a/arch/arm64/crypto/sha1-ce-glue.c > > +++ b/arch/arm64/crypto/sha1-ce-glue.c > > @@ -55,7 +55,7 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data, > > unsigned int len, u8 *out) > > { > > struct sha1_ce_state *sctx = shash_desc_ctx(desc); > > - bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE); > > + bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len; > > > > if (!crypto_simd_usable()) > > return crypto_sha1_finup(desc, data, len, out); > > -- > > 2.22.0.rc1.257.g3120a18244-goog > >
On Tue, May 28, 2019 at 01:41:52PM +0100, Elena Petrova wrote: > The sha1-ce finup implementation for ARM64 produces wrong digest > for empty input (len=0). Expected: da39a3ee..., result: 67452301... > (initial value of SHA internal state). The error is in sha1_ce_finup: > for empty data `finalize` will be 1, so the code is relying on > sha1_ce_transform to make the final round. However, in > sha1_base_do_update, the block function will not be called when > len == 0. > > Fix it by setting finalize to 0 if data is empty. > > Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer") > Cc: stable@vger.kernel.org > Signed-off-by: Elena Petrova <lenaptr@google.com> > Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > --- > arch/arm64/crypto/sha1-ce-glue.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Patch applied. Thanks.
diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c index eaa7a8258f1c..0652f5f07ed1 100644 --- a/arch/arm64/crypto/sha1-ce-glue.c +++ b/arch/arm64/crypto/sha1-ce-glue.c @@ -55,7 +55,7 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data, unsigned int len, u8 *out) { struct sha1_ce_state *sctx = shash_desc_ctx(desc); - bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE); + bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len; if (!crypto_simd_usable()) return crypto_sha1_finup(desc, data, len, out);
The sha1-ce finup implementation for ARM64 produces wrong digest for empty input (len=0). Expected: da39a3ee..., result: 67452301... (initial value of SHA internal state). The error is in sha1_ce_finup: for empty data `finalize` will be 1, so the code is relying on sha1_ce_transform to make the final round. However, in sha1_base_do_update, the block function will not be called when len == 0. Fix it by setting finalize to 0 if data is empty. Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer") Cc: stable@vger.kernel.org Signed-off-by: Elena Petrova <lenaptr@google.com> --- arch/arm64/crypto/sha1-ce-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)