Yep, sha2 also has the bug, I'll be sending the fix soon, thanks!
On Tue, 28 May 2019 at 14:03, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote:
>
> On Tue, 28 May 2019 at 14:42, Elena Petrova <lenaptr@xxxxxxxxxx> wrote:
> >
> > The sha1-ce finup implementation for ARM64 produces wrong digest
> > for empty input (len=0). Expected: da39a3ee..., result: 67452301...
> > (initial value of SHA internal state). The error is in sha1_ce_finup:
> > for empty data `finalize` will be 1, so the code is relying on
> > sha1_ce_transform to make the final round. However, in
> > sha1_base_do_update, the block function will not be called when
> > len == 0.
> >
> > Fix it by setting finalize to 0 if data is empty.
> >
> > Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Elena Petrova <lenaptr@xxxxxxxxxx>
>
> Thanks for the fix
>
> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
>
> It looks like the sha224/256 suffers from the same issue. Would you
> mind sending out a fix for that as well? Thanks.
>
> > ---
> > arch/arm64/crypto/sha1-ce-glue.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c
> > index eaa7a8258f1c..0652f5f07ed1 100644
> > --- a/arch/arm64/crypto/sha1-ce-glue.c
> > +++ b/arch/arm64/crypto/sha1-ce-glue.c
> > @@ -55,7 +55,7 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data,
> > unsigned int len, u8 *out)
> > {
> > struct sha1_ce_state *sctx = shash_desc_ctx(desc);
> > - bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE);
> > + bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len;
> >
> > if (!crypto_simd_usable())
> > return crypto_sha1_finup(desc, data, len, out);
> > --
> > 2.22.0.rc1.257.g3120a18244-goog
> >
