* [PATCH] arm64 sha1-ce finup: correct digest for empty data
@ 2019-05-28 12:41 Elena Petrova
2019-05-28 13:03 ` Ard Biesheuvel
2019-06-06 6:52 ` [PATCH] crypto: arm64/sha1-ce - correct digest for empty data in finup Herbert Xu
0 siblings, 2 replies; 4+ messages in thread
From: Elena Petrova @ 2019-05-28 12:41 UTC (permalink / raw)
To: linux-crypto; +Cc: Elena Petrova, stable
The sha1-ce finup implementation for ARM64 produces wrong digest
for empty input (len=0). Expected: da39a3ee..., result: 67452301...
(initial value of SHA internal state). The error is in sha1_ce_finup:
for empty data `finalize` will be 1, so the code is relying on
sha1_ce_transform to make the final round. However, in
sha1_base_do_update, the block function will not be called when
len == 0.
Fix it by setting finalize to 0 if data is empty.
Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer")
Cc: stable@vger.kernel.org
Signed-off-by: Elena Petrova <lenaptr@google.com>
---
arch/arm64/crypto/sha1-ce-glue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c
index eaa7a8258f1c..0652f5f07ed1 100644
--- a/arch/arm64/crypto/sha1-ce-glue.c
+++ b/arch/arm64/crypto/sha1-ce-glue.c
@@ -55,7 +55,7 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data,
unsigned int len, u8 *out)
{
struct sha1_ce_state *sctx = shash_desc_ctx(desc);
- bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE);
+ bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len;
if (!crypto_simd_usable())
return crypto_sha1_finup(desc, data, len, out);
--
2.22.0.rc1.257.g3120a18244-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] arm64 sha1-ce finup: correct digest for empty data
2019-05-28 12:41 [PATCH] arm64 sha1-ce finup: correct digest for empty data Elena Petrova
@ 2019-05-28 13:03 ` Ard Biesheuvel
2019-05-28 14:30 ` Elena Petrova
2019-06-06 6:52 ` [PATCH] crypto: arm64/sha1-ce - correct digest for empty data in finup Herbert Xu
1 sibling, 1 reply; 4+ messages in thread
From: Ard Biesheuvel @ 2019-05-28 13:03 UTC (permalink / raw)
To: Elena Petrova; +Cc: open list:HARDWARE RANDOM NUMBER GENERATOR CORE, stable
On Tue, 28 May 2019 at 14:42, Elena Petrova <lenaptr@google.com> wrote:
>
> The sha1-ce finup implementation for ARM64 produces wrong digest
> for empty input (len=0). Expected: da39a3ee..., result: 67452301...
> (initial value of SHA internal state). The error is in sha1_ce_finup:
> for empty data `finalize` will be 1, so the code is relying on
> sha1_ce_transform to make the final round. However, in
> sha1_base_do_update, the block function will not be called when
> len == 0.
>
> Fix it by setting finalize to 0 if data is empty.
>
> Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer")
> Cc: stable@vger.kernel.org
> Signed-off-by: Elena Petrova <lenaptr@google.com>
Thanks for the fix
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
It looks like the sha224/256 suffers from the same issue. Would you
mind sending out a fix for that as well? Thanks.
> ---
> arch/arm64/crypto/sha1-ce-glue.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c
> index eaa7a8258f1c..0652f5f07ed1 100644
> --- a/arch/arm64/crypto/sha1-ce-glue.c
> +++ b/arch/arm64/crypto/sha1-ce-glue.c
> @@ -55,7 +55,7 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data,
> unsigned int len, u8 *out)
> {
> struct sha1_ce_state *sctx = shash_desc_ctx(desc);
> - bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE);
> + bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len;
>
> if (!crypto_simd_usable())
> return crypto_sha1_finup(desc, data, len, out);
> --
> 2.22.0.rc1.257.g3120a18244-goog
>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] arm64 sha1-ce finup: correct digest for empty data
2019-05-28 13:03 ` Ard Biesheuvel
@ 2019-05-28 14:30 ` Elena Petrova
0 siblings, 0 replies; 4+ messages in thread
From: Elena Petrova @ 2019-05-28 14:30 UTC (permalink / raw)
To: Ard Biesheuvel; +Cc: open list:HARDWARE RANDOM NUMBER GENERATOR CORE, stable
Yep, sha2 also has the bug, I'll be sending the fix soon, thanks!
On Tue, 28 May 2019 at 14:03, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>
> On Tue, 28 May 2019 at 14:42, Elena Petrova <lenaptr@google.com> wrote:
> >
> > The sha1-ce finup implementation for ARM64 produces wrong digest
> > for empty input (len=0). Expected: da39a3ee..., result: 67452301...
> > (initial value of SHA internal state). The error is in sha1_ce_finup:
> > for empty data `finalize` will be 1, so the code is relying on
> > sha1_ce_transform to make the final round. However, in
> > sha1_base_do_update, the block function will not be called when
> > len == 0.
> >
> > Fix it by setting finalize to 0 if data is empty.
> >
> > Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Elena Petrova <lenaptr@google.com>
>
> Thanks for the fix
>
> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>
> It looks like the sha224/256 suffers from the same issue. Would you
> mind sending out a fix for that as well? Thanks.
>
> > ---
> > arch/arm64/crypto/sha1-ce-glue.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c
> > index eaa7a8258f1c..0652f5f07ed1 100644
> > --- a/arch/arm64/crypto/sha1-ce-glue.c
> > +++ b/arch/arm64/crypto/sha1-ce-glue.c
> > @@ -55,7 +55,7 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data,
> > unsigned int len, u8 *out)
> > {
> > struct sha1_ce_state *sctx = shash_desc_ctx(desc);
> > - bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE);
> > + bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len;
> >
> > if (!crypto_simd_usable())
> > return crypto_sha1_finup(desc, data, len, out);
> > --
> > 2.22.0.rc1.257.g3120a18244-goog
> >
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] crypto: arm64/sha1-ce - correct digest for empty data in finup
2019-05-28 12:41 [PATCH] arm64 sha1-ce finup: correct digest for empty data Elena Petrova
2019-05-28 13:03 ` Ard Biesheuvel
@ 2019-06-06 6:52 ` Herbert Xu
1 sibling, 0 replies; 4+ messages in thread
From: Herbert Xu @ 2019-06-06 6:52 UTC (permalink / raw)
To: Elena Petrova; +Cc: linux-crypto, stable
On Tue, May 28, 2019 at 01:41:52PM +0100, Elena Petrova wrote:
> The sha1-ce finup implementation for ARM64 produces wrong digest
> for empty input (len=0). Expected: da39a3ee..., result: 67452301...
> (initial value of SHA internal state). The error is in sha1_ce_finup:
> for empty data `finalize` will be 1, so the code is relying on
> sha1_ce_transform to make the final round. However, in
> sha1_base_do_update, the block function will not be called when
> len == 0.
>
> Fix it by setting finalize to 0 if data is empty.
>
> Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer")
> Cc: stable@vger.kernel.org
> Signed-off-by: Elena Petrova <lenaptr@google.com>
> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> arch/arm64/crypto/sha1-ce-glue.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-06-06 6:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-28 12:41 [PATCH] arm64 sha1-ce finup: correct digest for empty data Elena Petrova
2019-05-28 13:03 ` Ard Biesheuvel
2019-05-28 14:30 ` Elena Petrova
2019-06-06 6:52 ` [PATCH] crypto: arm64/sha1-ce - correct digest for empty data in finup Herbert Xu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.