On Mon, Jun 01, 2015 at 01:43:58PM +0200, Martin Willi wrote: > > +static int poly1305_setkey(struct crypto_shash *tfm, > + const u8 *key, unsigned int keylen) > +{ > + struct poly1305_ctx *ctx = crypto_shash_ctx(tfm); > + > + if (keylen != POLY1305_KEY_SIZE) { > + crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); > + return -EINVAL; > + } > + > + /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ > + ctx->r[0] = (le32_to_cpuvp(key + 0) >> 0) & 0x3ffffff; > + ctx->r[1] = (le32_to_cpuvp(key + 3) >> 2) & 0x3ffff03; > + ctx->r[2] = (le32_to_cpuvp(key + 6) >> 4) & 0x3ffc0ff; > + ctx->r[3] = (le32_to_cpuvp(key + 9) >> 6) & 0x3f03fff; > + ctx->r[4] = (le32_to_cpuvp(key + 12) >> 8) & 0x00fffff; > + > + ctx->s[0] = le32_to_cpuvp(key + 16); > + ctx->s[1] = le32_to_cpuvp(key + 20); > + ctx->s[2] = le32_to_cpuvp(key + 24); > + ctx->s[3] = le32_to_cpuvp(key + 28); > + > + return 0; > +} I just realised that this doesn't quite work. The key is shared by all users of the tfm, yet in your case you need it to be local to the shash_desc as otherwise two packets processed in parallel will overwrite each other's key. I think the simplest solution is to make the key the beginning of the hashed text instead. So the first two blocks that you process get used as the key. What do you think? Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html