Am Sonntag, 6. September 2015, 16:33:26 schrieb Andrzej Zaborowski: Hi Andrzej, >>> + for (pos = 2; pos < child_req->dst_len; pos++) >>> + if (dst[pos] == 0x00) >>> + break; >> >> What happens if the padding has a 0x00 in its pseudo random data? > >The pseudo random bytes must all be non-zero for the padding to be >unambiguous (RFC3447 iirc). If there's a 0x00 in the first 8 bytes I see, I did not know that detail. Now, you use prandom_u32_max to generate the padding in case of encryption/signing. I do not see any code that filters out any 0x00 that may be generated by this call. How would it prevented that this code does not generate 0x00? Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html