Re: [PATCH 3/9] crypto: Add a generic Poly1305 authenticator implementation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 01, 2015 at 01:43:58PM +0200, Martin Willi wrote:
>
> +static int poly1305_setkey(struct crypto_shash *tfm,
> +			   const u8 *key, unsigned int keylen)
> +{
> +	struct poly1305_ctx *ctx = crypto_shash_ctx(tfm);
> +
> +	if (keylen != POLY1305_KEY_SIZE) {
> +		crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
> +		return -EINVAL;
> +	}
> +
> +	/* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
> +	ctx->r[0] = (le32_to_cpuvp(key +  0) >> 0) & 0x3ffffff;
> +	ctx->r[1] = (le32_to_cpuvp(key +  3) >> 2) & 0x3ffff03;
> +	ctx->r[2] = (le32_to_cpuvp(key +  6) >> 4) & 0x3ffc0ff;
> +	ctx->r[3] = (le32_to_cpuvp(key +  9) >> 6) & 0x3f03fff;
> +	ctx->r[4] = (le32_to_cpuvp(key + 12) >> 8) & 0x00fffff;
> +
> +	ctx->s[0] = le32_to_cpuvp(key + 16);
> +	ctx->s[1] = le32_to_cpuvp(key + 20);
> +	ctx->s[2] = le32_to_cpuvp(key + 24);
> +	ctx->s[3] = le32_to_cpuvp(key + 28);
> +
> +	return 0;
> +}

I just realised that this doesn't quite work.  The key is shared
by all users of the tfm, yet in your case you need it to be local
to the shash_desc as otherwise two packets processed in parallel
will overwrite each other's key.

I think the simplest solution is to make the key the beginning
of the hashed text instead.  So the first two blocks that you
process get used as the key.

What do you think?

Cheers,
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux