From 5a52b379902471cef495687547c7b568142f66d2 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 6 Aug 2019 19:30:12 +0200 Subject: [PATCH] sha512: fix bad hardcoded constant in sha512_final() The SHA512 implementation shipped with usign uses a wrong hardcoded numeric constant in the final block padding code. An additional transform step must be done when there are at least SHA512_BLOCK_SIZE - 16 = 112 bytes in the state buffer, however the existing code incorrectly transformed buffer data larger than or equal to 110 bytes as well, resulting in invalid hash calculations when exactly 110 or 111 remaining bytes were left in the buffer. To reproduce the issue, sign a plaintext file with a size of exactly 128 * N + 64 + 110 or 128 * N + 64 + 111 bytes using signify-openbsd and attempt to verify the signature using usign: $ signify-openbsd -G -n -p test.pub -s test.key $ dd if=/dev/zero of=test.msg bs=1 count=$((64 + 110)) $ signify-openbsd -S -x test.sig -s test.key -m test.msg $ usign -V -p test.pub -x test.sig -m test.msg Fix this issue by replacing the bad numeric constanct with a macro expression resulting in the proper value. The fix has been verified by cross checking the intermedia hash results with results from OpenSSL's SHA512 implementation and by comparing the usign SHA512 code with the hashing code shipped with signify-openbsd. Ref: https://forum.openwrt.org/t/signature-check-failed/41945 Signed-off-by: Jo-Philipp Wich --- sha512.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sha512.c b/sha512.c index 68a9e65..d06d65b 100644 --- a/sha512.c +++ b/sha512.c @@ -232,7 +232,7 @@ void sha512_final(struct sha512_state *s, uint8_t *hash) memset(&s->partial[last_size], 0, SHA512_BLOCK_SIZE - last_size); - if (last_size > 110) { + if (last_size > (SHA512_BLOCK_SIZE - 16)) { sha512_block(s, s->partial); memset(s->partial, 0, sizeof(s->partial)); } -- 2.30.2