On 6 September 2015 at 23:17, Stephan Mueller <smueller@xxxxxxxxxx> wrote: > Am Sonntag, 6. September 2015, 16:33:26 schrieb Andrzej Zaborowski: > > Hi Andrzej, > >>>> + for (pos = 2; pos < child_req->dst_len; pos++) >>>> + if (dst[pos] == 0x00) >>>> + break; >>> >>> What happens if the padding has a 0x00 in its pseudo random data? >> >>The pseudo random bytes must all be non-zero for the padding to be >>unambiguous (RFC3447 iirc). If there's a 0x00 in the first 8 bytes > > I see, I did not know that detail. Now, you use prandom_u32_max to generate > the padding in case of encryption/signing. I do not see any code that filters > out any 0x00 that may be generated by this call. Specifically I use 1 + prandom_u32_max(255) which should give me numbers > 0 although it can't be perfectly uniform. Best regards -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html