Fix requests for "plain" SHA digests of an empty buffer.

To workaround limitations in the crypto engine, empty buffers are handled by manually constructing the final length block as the payload passed to the crypto engine and disabling the normal "final" handling. For HMAC this length block should hold the length of a single block since the hash is actually the hash of the IPAD digest, but for "plain" SHA the length should be zero instead. Reported by: NIST SHA1 test failure MFC after: 2 weeks Sponsored by: Chelsio Communications
2019-04-24 23:18:10 +00:00 · 2019-04-24 23:18:10 +00:00 · 082c6b646e
commit 082c6b646e
parent a57a65124e
1 changed files with 3 additions and 2 deletions
--- a/sys/dev/cxgbe/crypto/t4_crypto.c
+++ b/sys/dev/cxgbe/crypto/t4_crypto.c
@ -537,8 +537,9 @@ ccr_hash(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
 	dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES;
 	if (crd->crd_len == 0) {
 		dst[0] = 0x80;
-		*(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) =
-		    htobe64(axf->blocksize << 3);
+		if (s->mode == HMAC)
+			*(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) =
+			    htobe64(axf->blocksize << 3);
 	} else if (imm_len != 0)
 		crypto_copydata(crp->crp_flags, crp->crp_buf, crd->crd_skip,
 		    crd->crd_len, dst);