| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1486540008.4603.3.camel@sipsolutions.net>
Date: Wed, 08 Feb 2017 08:46:48 +0100
From: Johannes Berg <johannes@...solutions.net>
To: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: "<linux-wireless@...r.kernel.org>" <linux-wireless@...r.kernel.org>,
"David S. Miller" <davem@...emloft.net>,
"<netdev@...r.kernel.org>" <netdev@...r.kernel.org>,
Jouni Malinen <jouni@....qualcomm.com>
Subject: Re: [PATCH v3 1/2] mac80211: fils_aead: Use crypto api CMAC shash
rather than bare cipher
On Wed, 2017-02-08 at 07:45 +0000, Ard Biesheuvel wrote:
> On 8 February 2017 at 07:00, Johannes Berg <johannes@...solutions.net
> > wrote:
> > This looks strange to me:
> >
> > > +static int aes_s2v(struct crypto_shash *tfm,
> > > size_t num_elem, const u8 *addr[], size_t len[],
> > > u8 *v)
> > > {
> > > - u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE];
> > > + u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {};
> > > + SHASH_DESC_ON_STACK(desc, tfm);
> >
> > desc declared
> >
> > >
> > > + crypto_shash_digest(desc, tmp, AES_BLOCK_SIZE, d);
> >
> > used here
> >
>
> Each digest() call combines a init()/update()/final() sequence
>
> > > + crypto_shash_init(desc);
> >
> > but initialized now?
> >
>
> ... for the 6th time, or so. The final vector may require two
> update()s, so we cannot use digest() here. But we can use finup() for
> the last one, which combines update() and final().
>
> Hence,
>
> init()/finup()
>
> or
>
> init()/update()/finup()
>
> depending on the length of the last vector.
Great, thanks for the explanation :)
johannes
Powered by blists - more mailing lists