Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5000344ybi; Tue, 28 May 2019 06:05:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqxbJKJhTm41wJjzbU+/siCl8T1evYsMy772jQivhV2GSAVJhp0Nm6kkWi/AZHwaTSJhqKGV X-Received: by 2002:a17:90a:b111:: with SMTP id z17mr6020693pjq.58.1559048756525; Tue, 28 May 2019 06:05:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559048756; cv=none; d=google.com; s=arc-20160816; b=xycsZSEJxouihCA5viXndbz5KEuYNd8qIUwONrEGUnyA5ugAlf44fjKvYt+a9mV+6a unO+q+ghsSJFvzllw45O1woYDludhkx3iq8VXX4dkQyk/QPhxZMJFPDRUmd89fi2LtBI GVWe0+L0VlNlfayhk8+KbjXi0M9N0ujKuJH/iWQktdPSWIG3FDhVm1IbmTaFZ2yqqSZr j0PZ0kL1LPx7jXqxuC4qHv8/wKe5qGJDGOkkjj5H+B8qauhwWJs6HGEREl+1QtZIO99V g/tpiuvrTszSqHlG1UJgjL9qbchDMMQ6mWo5hfAliZJthTkaTVyX0DT6a6/NCMAMtNJ/ HIxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Bh/N/QZBC3xi2c5BZMAnemmNFxYJ1TErCB/6n5Xk+X8=; b=F45wp8n6zZfHRY5RA5Xer0QI902nll3+LzVssFM997BUFa/H2wbnaOiIKNqbwDcqT6 XCbwWSDQzTDpa5abD57THgR+vjl4k/WVX8IjtlBS/VWM2dAjxXOEPxTXvV+tT6cCnblJ 5vx/zAHHjDA6lA99gmiknyVw25i/859/c46pZFDyVdsDTiZUIN8xaBq5L3eYtkkcw295 s0Sj47oe4ttqbP7k8gvGnMK3vbmbJkFzU59vJucZpUHGBlAMyKhbmvF8w+pwbkAiBiY0 lXWUTZ4mrFAg+N0+wX+KHgAlEiIFTxqfP+snra3yZ6cRTWRtYznimsDIoTT5kC2rcHGn GGaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ibi1V5DB; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a8si11574723plm.163.2019.05.28.06.05.37; Tue, 28 May 2019 06:05:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ibi1V5DB; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727445AbfE1ND6 (ORCPT + 99 others); Tue, 28 May 2019 09:03:58 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:47069 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726988AbfE1ND6 (ORCPT ); Tue, 28 May 2019 09:03:58 -0400 Received: by mail-io1-f65.google.com with SMTP id u25so83870iot.13 for ; Tue, 28 May 2019 06:03:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bh/N/QZBC3xi2c5BZMAnemmNFxYJ1TErCB/6n5Xk+X8=; b=ibi1V5DBVgTanDaBzc4vcpKjo+uo+gzCpXxoaw5Whec0p10xNV17ytUzJg/eNgvVD+ yk1exn2HIfQiZpiTpBj6Sbw+Z3H8Acrybi01M4v2THSkE+mhkqB3Sn2iPaXRqqUDMRQ4 GMjDH3iCH3Md1pQU7zHViowF+TQrXnOVgsSwmLCBypcxquDdXIVfDKVawDdiiu7MGjLR 101gfrwONUcqOjIQS8n4lZXZTzL7vrWu5g15Ak5siJtxip71JvvJowxhJ2HNEXBXmNMy HBXcxiXAH7OKZqgx9F0fLEg/d7QTc2vl8+upTAqv9XtUb6wgkZE3/uGyEE51RYe1eRPj 8Y8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bh/N/QZBC3xi2c5BZMAnemmNFxYJ1TErCB/6n5Xk+X8=; b=IyfYHeSLazDd2RkYX4mEYALsy1IM6wKkZaY9oE1w+zFrppib2LjIclLZ5Wnzxw75QJ usOANgSdok9JDFfLOGb0wapAkiovB0JqCnEaITsw9uaUTeW+Amtuz7xPvQ28q8f0dtJK r0VADQqxSSK/2q36OtBkkr8AjJYaagMA7pFeCumqCow+NhEYSo2PJtOlaPCbx8LjYMK9 bByHuCVoxl4HtuT+V8HKTQXzjqWZ7IdnvYx506JbI/jzKSgh1Hp3i7mZLGGK5Yt5Wy8l C+yoPRtSSelkN95GeY3KA2YhWjJ1qwIgPdhpOIQpIxtc1vsj6kkVJnycmOJyDfyUmfmL 3fLQ== X-Gm-Message-State: APjAAAXHB4m+wV8TB5RPRuVl+TAzm4ppTfC54LgngP+0fGbbyPAOqidF tWl2bObh9V4xohIVlxVk2InWd+XYMQWQ0vlXM+mHgg== X-Received: by 2002:a05:6602:2109:: with SMTP id x9mr393129iox.128.1559048637409; Tue, 28 May 2019 06:03:57 -0700 (PDT) MIME-Version: 1.0 References: <20190528124152.191773-1-lenaptr@google.com> In-Reply-To: <20190528124152.191773-1-lenaptr@google.com> From: Ard Biesheuvel Date: Tue, 28 May 2019 15:03:44 +0200 Message-ID: Subject: Re: [PATCH] arm64 sha1-ce finup: correct digest for empty data To: Elena Petrova Cc: "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , stable Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, 28 May 2019 at 14:42, Elena Petrova wrote: > > The sha1-ce finup implementation for ARM64 produces wrong digest > for empty input (len=0). Expected: da39a3ee..., result: 67452301... > (initial value of SHA internal state). The error is in sha1_ce_finup: > for empty data `finalize` will be 1, so the code is relying on > sha1_ce_transform to make the final round. However, in > sha1_base_do_update, the block function will not be called when > len == 0. > > Fix it by setting finalize to 0 if data is empty. > > Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer") > Cc: stable@vger.kernel.org > Signed-off-by: Elena Petrova Thanks for the fix Reviewed-by: Ard Biesheuvel It looks like the sha224/256 suffers from the same issue. Would you mind sending out a fix for that as well? Thanks. > --- > arch/arm64/crypto/sha1-ce-glue.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c > index eaa7a8258f1c..0652f5f07ed1 100644 > --- a/arch/arm64/crypto/sha1-ce-glue.c > +++ b/arch/arm64/crypto/sha1-ce-glue.c > @@ -55,7 +55,7 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data, > unsigned int len, u8 *out) > { > struct sha1_ce_state *sctx = shash_desc_ctx(desc); > - bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE); > + bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len; > > if (!crypto_simd_usable()) > return crypto_sha1_finup(desc, data, len, out); > -- > 2.22.0.rc1.257.g3120a18244-goog >