Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5099504ybi; Tue, 28 May 2019 07:32:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqwkFODM7CpvQNKCdBPJmn7oQP0pNTt+d8Hn0vf+gLCOATpfaY0kOVBfsfYIm4LyKsiZq8+q X-Received: by 2002:aa7:8d89:: with SMTP id i9mr142437934pfr.77.1559053939270; Tue, 28 May 2019 07:32:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559053939; cv=none; d=google.com; s=arc-20160816; b=XreHLH8HdDlBZ+CdkybHUlhL43uRk4+Oa59c9qulRbmPxfSyvXIS6K+eb1DLdL+7te 3py5g5fn9/aVVhRJ77uHn8jQBaulLQVvBGQjTEJSJNckYmr1gOJYGRMardzRFb9lwK/b bRKn5nwA4L9j4sybfpLQ876BSVAZgWGvSBkcMLKRm+VZdTbNvFrW/pEMiHuwUYM75Pls CvtuRL6NZPQXyZgRSf8RnuNZqXK1AgfTdxBkEdV89KhMoC+quOqutUhiovvixNePGCYZ VmP80AOuAyLKkEtOXBRynB9Q8SZbSMYn7cnEVCQ3QYSdAZ+BCiYRBuf+4MTqtx38TXy3 g5+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=lpp7ccSUbaTg2wXqVqozx7r8Gn8naMF1nG94XiI2Q9g=; b=soDyuWQLTi6c+s4FPFOVgh3FeeobYs2dcVCPhq943X3r9ZIjmwt/L6G8fFLCHWbQJ5 7b4jYVvRCCe2WA4s1/FgnB4VT7KfiJhmIvQuOSrVxlXIPjzkqO7K3c+sAgSs6nYIraBT OCRHrF6xjSdshUxpbpMg3fG3Rw2U95W3dgJ6YsElgoacr7ujvKZ9253oLccb4WJZdjE4 94uKzCtT3XvZHhIqDaZVI6sE0Z0PxOJfRHUYJIIOsbb4n6WQg9pt67iIETrMcZQNTcq0 Fjq+wBygd1n6vPH97wstfoUsOMn+KDAHeOqup/hIBfs39xeokDnixEdDR27tJ0008fwx NtKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=HnCwTxfs; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i21si3821378pju.82.2019.05.28.07.32.03; Tue, 28 May 2019 07:32:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=HnCwTxfs; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726451AbfE1Oaj (ORCPT + 99 others); Tue, 28 May 2019 10:30:39 -0400 Received: from mail-oi1-f194.google.com ([209.85.167.194]:36471 "EHLO mail-oi1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726345AbfE1Oaj (ORCPT ); Tue, 28 May 2019 10:30:39 -0400 Received: by mail-oi1-f194.google.com with SMTP id y124so14433702oiy.3 for ; Tue, 28 May 2019 07:30:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lpp7ccSUbaTg2wXqVqozx7r8Gn8naMF1nG94XiI2Q9g=; b=HnCwTxfsJnlmsP08ZQ0PdvAHAod51xM4PwwImHTeKCfsDkMxvnk8KQjmWr3woHeiRP ia25bF/13+tiyXaUnwL8jdenYbMjGUugUhu0LQ2RHBL+mLpvZ3mO+c3JEcidpBEmuOwy +mo6su5gYPLNYOGjy9udW4Q8oG/7Kr23n6VOKjjsAELPF429CpkCLl8tCkkxfE7Zq6nV YRqUhdG12U5Il4Ks5xCsNTve69Zm0LlKz3hxqCX8oKYkeb2/5r60zBODPJptLQJq/gKu ylbLk70QH4pVt7WfaNdqYC77dbU9hw9Q6+ew1kakZMvKb7keONqGPA5nBvnHAzMSIOfq pFgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lpp7ccSUbaTg2wXqVqozx7r8Gn8naMF1nG94XiI2Q9g=; b=ogqpYdNpmpU1zyEmz0TMdWihae8yHFOWVdm/HpWAcnjzYSTOij2h/Pv+perNLY8b3T zoy8mSaR+eqz8r8pIZOtmzNyS6magjBnktuKVTYF2HaEbQVlPVoiwtx5ZOPdOhsdExiT 8V/ukx+IBi6c2llYjnuzJqcn2dNp9jdhrTZRERIXY8GdwaRbz8yXDA8sn5U3/TokgxtS l0OIKU2/JwWVGsvC2OyD7yJl8z8iTIz23077A0NGZD6B9ZBHDV4a2AelKzxrIZTCpfMe uzO6yTb156j+spdE0ZICaTbb3J7o9etLeptNlcEJDdfljGDjlLSD+zFyBvOK+OhDi2/I xRag== X-Gm-Message-State: APjAAAW5hHYEbSUASwzTiCjDJcKX5OoMoxV1HnuKlcqN3jEHWbTynMHZ Yfb5gDskn6g3f8IM0Qi0IlCAKAamhzFDZG27J89EFg== X-Received: by 2002:aca:418a:: with SMTP id o132mr2810723oia.16.1559053838114; Tue, 28 May 2019 07:30:38 -0700 (PDT) MIME-Version: 1.0 References: <20190528124152.191773-1-lenaptr@google.com> In-Reply-To: From: Elena Petrova Date: Tue, 28 May 2019 15:30:27 +0100 Message-ID: Subject: Re: [PATCH] arm64 sha1-ce finup: correct digest for empty data To: Ard Biesheuvel Cc: "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , stable Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Yep, sha2 also has the bug, I'll be sending the fix soon, thanks! On Tue, 28 May 2019 at 14:03, Ard Biesheuvel wrote: > > On Tue, 28 May 2019 at 14:42, Elena Petrova wrote: > > > > The sha1-ce finup implementation for ARM64 produces wrong digest > > for empty input (len=0). Expected: da39a3ee..., result: 67452301... > > (initial value of SHA internal state). The error is in sha1_ce_finup: > > for empty data `finalize` will be 1, so the code is relying on > > sha1_ce_transform to make the final round. However, in > > sha1_base_do_update, the block function will not be called when > > len == 0. > > > > Fix it by setting finalize to 0 if data is empty. > > > > Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer") > > Cc: stable@vger.kernel.org > > Signed-off-by: Elena Petrova > > Thanks for the fix > > Reviewed-by: Ard Biesheuvel > > It looks like the sha224/256 suffers from the same issue. Would you > mind sending out a fix for that as well? Thanks. > > > --- > > arch/arm64/crypto/sha1-ce-glue.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c > > index eaa7a8258f1c..0652f5f07ed1 100644 > > --- a/arch/arm64/crypto/sha1-ce-glue.c > > +++ b/arch/arm64/crypto/sha1-ce-glue.c > > @@ -55,7 +55,7 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data, > > unsigned int len, u8 *out) > > { > > struct sha1_ce_state *sctx = shash_desc_ctx(desc); > > - bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE); > > + bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len; > > > > if (!crypto_simd_usable()) > > return crypto_sha1_finup(desc, data, len, out); > > -- > > 2.22.0.rc1.257.g3120a18244-goog > >