I am referring to the SHA512_224_Final() implementation in sys/crypto/sha2/sha512c.c: void SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx) { /* Add padding */ SHA512_Pad(ctx); /* Write the hash */ be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH); /* Clear the context state */ explicit_bzero(ctx, sizeof(*ctx)); } We have #define SHA512_224_DIGEST_LENGTH 28 which is not a multiple of 8. We have for little-endian machines: /* * Encode a length len/4 vector of (uint64_t) into a length len vector of * (unsigned char) in big-endian form. Assumes len is a multiple of 8. */ static void be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len) { size_t i; for (i = 0; i < len / 8; i++) be64enc(dst + i * 8, src[i]); } The result is that the last 32-bits of the digest are not written.
Created attachment 237936 [details] Patch to fix the bug. I would fix it like this.
(In reply to sebastian.huber from comment #1) This fix was broken, since it did overwrite the digest. I added a new fix in this pull request: https://github.com/freebsd/freebsd-src/pull/635
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6680cfe8e0eec4427716ab50d73ab8231dd9ab28 commit 6680cfe8e0eec4427716ab50d73ab8231dd9ab28 Author: Sebastian Huber <sebastian.huber@embedded-brains.de> AuthorDate: 2023-02-06 16:57:28 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2023-02-06 17:02:49 +0000 sha512_224: Fix SHA512_224_Final() on little-endian machines. PR: 266863 MFC after: 1 week Reviewed by: allanjude, cperciva, des Differential Revision: https://reviews.freebsd.org/D38372 sys/crypto/sha2/sha512c.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b9e0160e07882ff62df7c31695e18c3197cea8b9 commit b9e0160e07882ff62df7c31695e18c3197cea8b9 Author: Sebastian Huber <sebastian.huber@embedded-brains.de> AuthorDate: 2023-02-06 16:57:28 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2023-02-09 20:32:56 +0000 sha512_224: Fix SHA512_224_Final() on little-endian machines. PR: 266863 MFC after: 1 week Reviewed by: allanjude, cperciva, des Differential Revision: https://reviews.freebsd.org/D38372 (cherry picked from commit 6680cfe8e0eec4427716ab50d73ab8231dd9ab28) sys/crypto/sha2/sha512c.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=316cf82382e06b7abf8724e9b7804bf6dc2aa576 commit 316cf82382e06b7abf8724e9b7804bf6dc2aa576 Author: Sebastian Huber <sebastian.huber@embedded-brains.de> AuthorDate: 2023-02-06 16:57:28 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2023-02-10 00:20:11 +0000 sha512_224: Fix SHA512_224_Final() on little-endian machines. PR: 266863 MFC after: 1 week Reviewed by: allanjude, cperciva, des Differential Revision: https://reviews.freebsd.org/D38372 (cherry picked from commit 6680cfe8e0eec4427716ab50d73ab8231dd9ab28) sys/crypto/sha2/sha512c.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)