All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] arm64 sha2-ce finup: correct digest for empty data
@ 2019-05-28 14:35 Elena Petrova
  2019-05-28 14:36 ` Ard Biesheuvel
  2019-06-06  6:52 ` [PATCH] crypto: arm64/sha2-ce - correct digest for empty data in finup Herbert Xu
  0 siblings, 2 replies; 3+ messages in thread
From: Elena Petrova @ 2019-05-28 14:35 UTC (permalink / raw)
  To: linux-crypto; +Cc: Elena Petrova, stable

The sha256-ce finup implementation for ARM64 produces wrong digest
for empty input (len=0). Expected: the actual digest, result: initial
value of SHA internal state. The error is in sha256_ce_finup:
for empty data `finalize` will be 1, so the code is relying on
sha2_ce_transform to make the final round. However, in
sha256_base_do_update, the block function will not be called when
len == 0.

Fix it by setting finalize to 0 if data is empty.

Fixes: 03802f6a80b3a ("crypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer")
Cc: stable@vger.kernel.org
Signed-off-by: Elena Petrova <lenaptr@google.com>
---
 arch/arm64/crypto/sha2-ce-glue.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/crypto/sha2-ce-glue.c b/arch/arm64/crypto/sha2-ce-glue.c
index a725997e55f2..6a5ade974a35 100644
--- a/arch/arm64/crypto/sha2-ce-glue.c
+++ b/arch/arm64/crypto/sha2-ce-glue.c
@@ -60,7 +60,7 @@ static int sha256_ce_finup(struct shash_desc *desc, const u8 *data,
 			   unsigned int len, u8 *out)
 {
 	struct sha256_ce_state *sctx = shash_desc_ctx(desc);
-	bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE);
+	bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE) && len;
 
 	if (!crypto_simd_usable()) {
 		if (len)
-- 
2.22.0.rc1.257.g3120a18244-goog


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] arm64 sha2-ce finup: correct digest for empty data
  2019-05-28 14:35 [PATCH] arm64 sha2-ce finup: correct digest for empty data Elena Petrova
@ 2019-05-28 14:36 ` Ard Biesheuvel
  2019-06-06  6:52 ` [PATCH] crypto: arm64/sha2-ce - correct digest for empty data in finup Herbert Xu
  1 sibling, 0 replies; 3+ messages in thread
From: Ard Biesheuvel @ 2019-05-28 14:36 UTC (permalink / raw)
  To: Elena Petrova; +Cc: open list:HARDWARE RANDOM NUMBER GENERATOR CORE, stable

On Tue, 28 May 2019 at 16:35, Elena Petrova <lenaptr@google.com> wrote:
>
> The sha256-ce finup implementation for ARM64 produces wrong digest
> for empty input (len=0). Expected: the actual digest, result: initial
> value of SHA internal state. The error is in sha256_ce_finup:
> for empty data `finalize` will be 1, so the code is relying on
> sha2_ce_transform to make the final round. However, in
> sha256_base_do_update, the block function will not be called when
> len == 0.
>
> Fix it by setting finalize to 0 if data is empty.
>
> Fixes: 03802f6a80b3a ("crypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer")
> Cc: stable@vger.kernel.org
> Signed-off-by: Elena Petrova <lenaptr@google.com>

Thanks again

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

> ---
>  arch/arm64/crypto/sha2-ce-glue.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm64/crypto/sha2-ce-glue.c b/arch/arm64/crypto/sha2-ce-glue.c
> index a725997e55f2..6a5ade974a35 100644
> --- a/arch/arm64/crypto/sha2-ce-glue.c
> +++ b/arch/arm64/crypto/sha2-ce-glue.c
> @@ -60,7 +60,7 @@ static int sha256_ce_finup(struct shash_desc *desc, const u8 *data,
>                            unsigned int len, u8 *out)
>  {
>         struct sha256_ce_state *sctx = shash_desc_ctx(desc);
> -       bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE);
> +       bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE) && len;
>
>         if (!crypto_simd_usable()) {
>                 if (len)
> --
> 2.22.0.rc1.257.g3120a18244-goog
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] crypto: arm64/sha2-ce - correct digest for empty data in finup
  2019-05-28 14:35 [PATCH] arm64 sha2-ce finup: correct digest for empty data Elena Petrova
  2019-05-28 14:36 ` Ard Biesheuvel
@ 2019-06-06  6:52 ` Herbert Xu
  1 sibling, 0 replies; 3+ messages in thread
From: Herbert Xu @ 2019-06-06  6:52 UTC (permalink / raw)
  To: Elena Petrova; +Cc: linux-crypto, stable

On Tue, May 28, 2019 at 03:35:06PM +0100, Elena Petrova wrote:
> The sha256-ce finup implementation for ARM64 produces wrong digest
> for empty input (len=0). Expected: the actual digest, result: initial
> value of SHA internal state. The error is in sha256_ce_finup:
> for empty data `finalize` will be 1, so the code is relying on
> sha2_ce_transform to make the final round. However, in
> sha256_base_do_update, the block function will not be called when
> len == 0.
> 
> Fix it by setting finalize to 0 if data is empty.
> 
> Fixes: 03802f6a80b3a ("crypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer")
> Cc: stable@vger.kernel.org
> Signed-off-by: Elena Petrova <lenaptr@google.com>
> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  arch/arm64/crypto/sha2-ce-glue.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-06-06  6:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-28 14:35 [PATCH] arm64 sha2-ce finup: correct digest for empty data Elena Petrova
2019-05-28 14:36 ` Ard Biesheuvel
2019-06-06  6:52 ` [PATCH] crypto: arm64/sha2-ce - correct digest for empty data in finup Herbert Xu

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.