zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

s390x: Fix s390x_sha3_absorb() when no data is processed by KIMD

Browse Source 
If the data to absorb is less than a block, then the KIMD instruction is
called with zero bytes. This is superfluous, and causes incorrect hash
output later on if this is the very first absorb call, i.e. when the
xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case
the NIP flag is set in the function code for KIMD, but KIMD ignores the
NIP flag when it is called with zero bytes to process.

Skip any KIMD calls for zero length data. Also do not set the xof_state
to XOF_STATE_ABSORB until the first call to KIMD with data. That way,
the next KIMD (with non-zero length data) or KLMD call will get the NIP
flag set and will then honor it to produce correct output.

Fixes: 25f5d7b85f

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25388)
This commit is contained in:
Ingo Franzki 2024-09-05 08:45:29 +02:00 committed by Tomas Mraz
parent 8af4c02ea9
commit 979dc53001
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
providers/implementations/digests/sha3_prov.c
View File

@ -198,10 +198,12 @@ static size_t s390x_sha3_absorb(void *vctx, const void *inp, size_t len)
if (!(ctx->xof_state == XOF_STATE_INIT ||
ctx->xof_state == XOF_STATE_ABSORB))
return 0;
fc = ctx->pad;
fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
ctx->xof_state = XOF_STATE_ABSORB;
s390x_kimd(inp, len - rem, fc, ctx->A);
if (len - rem > 0) {
fc = ctx->pad;
fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
ctx->xof_state = XOF_STATE_ABSORB;
s390x_kimd(inp, len - rem, fc, ctx->A);
}
return rem;
}