crypto: arm64/sha2-ce – correct digest for empty data in finup [Linux 4.4.187]

This Linux kernel change "crypto: arm64/sha2-ce – correct digest for empty data in finup" is included in the Linux 4.4.187 release. This change is authored by Elena Petrova <lenaptr [at]> on Tue May 28 15:35:06 2019 +0100. The commit for this change in Linux stable tree is e373035 (patch) which is from upstream commit 6bd934d. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 6bd934d.

crypto: arm64/sha2-ce - correct digest for empty data in finup

commit 6bd934de1e393466b319d29c4427598fda096c57 upstream.

The sha256-ce finup implementation for ARM64 produces wrong digest
for empty input (len=0). Expected: the actual digest, result: initial
value of SHA internal state. The error is in sha256_ce_finup:
for empty data `finalize` will be 1, so the code is relying on
sha2_ce_transform to make the final round. However, in
sha256_base_do_update, the block function will not be called when
len == 0.

Fix it by setting finalize to 0 if data is empty.

Fixes: 03802f6a80b3a ("crypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer")
Signed-off-by: Elena Petrova <>
Reviewed-by: Ard Biesheuvel <>
Signed-off-by: Herbert Xu <>
Signed-off-by: Greg Kroah-Hartman <>

There are 2 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 arch/arm64/crypto/sha2-ce-glue.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/crypto/sha2-ce-glue.c b/arch/arm64/crypto/sha2-ce-glue.c
index 0ed9486..356ca93 100644
--- a/arch/arm64/crypto/sha2-ce-glue.c
+++ b/arch/arm64/crypto/sha2-ce-glue.c
@@ -52,7 +52,7 @@ static int sha256_ce_finup(struct shash_desc *desc, const u8 *data,
               unsigned int len, u8 *out)
    struct sha256_ce_state *sctx = shash_desc_ctx(desc);
-   bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE);
+   bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE) && len;

     * Allow the asm code to perform the finalization if there is no

Leave a Reply

Your email address will not be published. Required fields are marked *